A sophisticated software supply chain attack used Python Package Index (PyPI) repositories to deploy malware. The campaign involved seven malicious packages, including Coffin-Codes-Pro, Coffin-Codes-NET, and Coffin2022, which collectively gained over 55,000 downloads before being removed. The attack used Google’s SMTP infrastructure for command-and-control, making the traffic appear legitimate to firewalls and endpoint detection systems. This stealthy method allowed attackers to execute commands and exfiltrate sensitive data without detection.
The malware establishes an SMTP connection to Gmail’s servers using hardcoded credentials, creating a bidirectional tunnel for communication. Once the connection is established, a WebSocket connection is set up for command-and-control channels, enabling remote execution of commands and data exfiltration. This technique has been evolving since at least 2021, with the oldest package, cfc-bsb, using WebSocket-based HTTP tunneling similar to Ngrok. Later versions improved the technique, consistently using Gmail’s SMTP server on port 465 for communication.
The malicious packages posed significant risks, enabling attackers to access internal dashboards, APIs, and admin panels. They could also harvest credentials, transfer files, execute shell commands, and establish persistence within the victim’s network. The reference to blockchain in the communication suggests cryptocurrency theft could be a primary motivation for the attackers. Experts note that this attack technique is particularly dangerous because SMTP traffic is often regarded as legitimate, bypassing many security measures.
Security experts recommend several mitigation steps, such as monitoring outbound SMTP traffic, verifying package authenticity, and conducting regular dependency audits. They also advise using isolated environments for testing third-party code and implementing strict access controls for sensitive resources. While all seven packages have been removed from PyPI, the attack technique remains a growing threat, aligning with the MITRE ATT&CK technique T1102.002, which focuses on bidirectional communication for web services.
