Cybersecurity researchers have uncovered several malicious Python Package Index (PyPI) packages designed to validate stolen email addresses against TikTok and Instagram APIs. These packages, now removed from PyPI, allowed threat actors to verify active accounts and exploit them for phishing, doxxing, and credential-stuffing attacks.
Impacted Packages
- checker-SaGaF (2,605 downloads): Designed to check if an email is linked to a TikTok or Instagram account using password recovery APIs.
- steinlurks (1,049 downloads): Mimicked Instagram’s Android app to evade detection while verifying email addresses.
- sinnercore (3,300 downloads): Triggered the password reset function and harvested Telegram user information. It also included cryptocurrency-related utilities.
Do You Need Help?
XEye Security offers you the ultimate proactive and cost-effective approach and solutions to combating all types of cyber threats, ensuring compliance, and implementing robust security measures.
Security Implications
The validation of stolen email addresses poses significant security risks:
- Account Verification for Targeted Attacks – Attackers confirm active accounts before launching credential stuffing or phishing attempts.
- Dark Web Sales – Lists of verified accounts are often sold to malicious actors.
- Increased Detection Evasion – By exclusively targeting existing accounts, cybercriminals minimize suspicion.
Connections to Other Threats
A separate PyPI package, dbgpkg, was uncovered posing as a debugging tool but contained a backdoor capable of executing malicious code. Researchers linked it to discordpydebug, another malicious package with similar payloads. Speculation suggests a possible connection to Phoenix Hyena, a hacktivist group targeting Russian entities.
Additionally, a recent npm package, “koishi-plugin-pinhaofa,” introduced a backdoor in chatbots, scanning messages for sensitive data and sending them to a hard-coded QQ account. This demonstrates a growing trend of supply-chain attacks targeting developer ecosystems.
Recommendations
- Don’t post personal or sensitive data on social media.
- Never use any emails that are linked to your bank accounts on social media.
- Set strong passwords and always enable 2FA.
