Malicious PyPI Package Targets Discord Developers

A new malware package has been discovered on PyPI, this time targeting Discord developers. The package, named pycord-self, steals authentication tokens and installs a backdoor, allowing its operators to gain remote access to the victim’s system.

This malicious package disguises itself as the popular discord.py-self (which has 28 million downloads) and even offers some of its real functionality. The original discord.py-self is a Python library that enables interaction with Discord’s user API and allows programmatic account management. It’s commonly used for automation, bot creation, moderation, notifications, and executing commands or extracting data without a bot account.

According to experts at Socket, the malicious package appeared on PyPI as early as June of last year and has been downloaded 885 times over the past several months.

How Pycord-self Works

The pycord-self package performs two main malicious actions:

1. Stealing Discord authentication tokens: The package collects authentication tokens and sends them to attackers via an external URL. With these stolen tokens, hackers can take over a developer’s account without needing login credentials, even if two-factor authentication is enabled.
2. Installing a hidden backdoor: The malware establishes a persistent connection to a remote server on port 6969, creating a backdoor for remote access.

“Depending on the operating system, a shell is launched (bash on Linux or cmd on Windows), giving attackers persistent access to the victim’s system,” Socket researchers explain. “The backdoor runs in a separate thread, making it difficult to detect, as the package itself continues to appear functional.”

Security Recommendations

Researchers once again remind developers to verify the authorship of packages before installing them and to pay close attention to library names to avoid falling victim to typosquatting attacks.