
Socket analysts reported their findings to the Python Package Index (PyPI), and malicious packages were removed from it. However, some of them had been present on PyPI for more than four years, and one package was downloaded more than 18,000 times.
Malware was identified in the following packages:
- Coffin-Codes-Pro (9000 downloads);
- Coffin-Codes-NET2 (6200 downloads);
- Coffin-Codes-NET (6100 downloads);
- Coffin-Codes-2022 (18,100 downloads);
- Coffin2022 (6500 downloads);
- Coffin-Grave (6500 downloads); and
- cfc-bsb (2900 downloads).
The malicious Coffin packages pose as the legitimate Coffin adapter that integrates Jinja2 templates into Django projects.
Their malicious functionality includes covert remote access and data exfiltration via Gmail.
The packages use hardcoded credentials to log into the Gmail SMTP server (smtp.
) and transmit information collected on victim hosts to their operators, thus, enabling them to remotely access compromised systems. Since Gmail is a trusted resource, firewalls and EDR systems are unlikely to consider such activity suspicious.
After sending the stolen data by email, the malware connects to the remote server over SSL using WebSocket and receives instructions on setting up an encrypted bidirectional tunnel from the host to the attacker.
Using the Client class, the malware tunnels traffic from the remote host to the local system to provide access to the internal admin panel and API and perform such operations as file transfer, email theft, execution of shell commands, collection of credentials, and lateral movement.
Based on the email addresses used (e.g. blockchain.
), Socket analysts conclude that the primary purpose of the malicious packages is to steal cryptocurrency, especially taking that similar tactics were previously used to steal Solana private keys.

2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →