Cybersecurity researchers have uncovered malicious packages uploaded to the Python Package Index (PyPI) repository that act as checker tools to validate stolen email addresses against TikTok and Instagram APIs.
All three packages are no longer available on PyPI. The names of the Python packages are below –
checker-SaGaF (2,605 downloads)
steinlurks (1,049 downloads)
sinnercore (3,300 downloads)
“True to its name, checker-SaGaF checks if an email is associated with a TikTok account and an Instagram account,” Socket researcher Olivia Brown said in an analysis published last week.
Specifically, the package is designed to send HTTP POST requests to TikTok’s password recovery API and Instagram’s account login endpoints to determine if an email address passed as input is valid, meaning there exists an account holder corresponding to that email address.
“Once threat actors have this information, just from an email address, they can threaten to dox or spam, conduct fake report attacks to get accounts suspended, or solely confirm target accounts before launching a credential stuffing or password spraying exploit,” Brown said.
“Validated user lists are also sold on the dark web for profit. It can seem harmless to construct dictionaries of active emails, but this information enables and accelerates entire attack chains and minimizes detection by only targeting known-valid accounts.”
The second package “steinlurks,” in a similar manner, targets Instagram accounts by sending forged HTTP POST requests mimicking the Instagram Android app to evade detection. It achieves this by targeting different API endpoints –
i.instagram[.]com/api/v1/users/lookup/
i.instagram[.]com/api/v1/bloks/apps/com.bloks.www.caa.ar.search.async/
i.instagram[.]com/api/v1/accounts/send_recovery_flow_email/
www.instagram[.]com/api/v1/web/accounts/check_email/
“Sinnercore,” on the other hand, aims to trigger the forgot password flow for a given username, targeting the API endpoint “b.i.instagram[.]com/api/v1/accounts/send_password_reset/” with fake HTTP requests containing the target’s username.
“There is also functionality targeting Telegram, namely extracting name, user ID, bio, and premium status, as well as other attributes,” Brown explained.
“Some parts of sinnercore are focused on crypto utilities, like getting real-time Binance price or currency conversions. It even targets PyPI programmers by fetching detailed info on any PyPI package, likely used for fake developer profiles or pretending to be developers.”
The disclosure comes as ReversingLabs detailed another malicious package named “dbgpkg” that masquerades as a debugging utility but implants a backdoor on the developer’s system to facilitate code execution and data exfiltration. While the package is not accessible anymore, it’s estimated to have been downloaded about 350 times.
Interestingly, the package in question has been found to contain the same payload as the one embedded in “discordpydebug,” which was flagged by Socket earlier this month. ReversingLabs said it also identified a third package called “requestsdev” that’s believed to be part of the same campaign. It attracted 76 downloads before being taken down.
Further analysis has determined that the package’s backdoor technique using GSocket resembles that of Phoenix Hyena (aka DumpForums or Silent Crow), a hacktivist group known for targeting Russian entities, including Doctor Web, in the aftermath of the Russo-Ukrainian war in early 2022.
While the attribution is tentative at best, ReversingLabs pointed out that the activity could also be the work of a copycat threat actor. However, the use of identical payloads and the fact that “discordpydebug” was first uploaded in March 2022 strengthen the case for a possible connection to Phoenix Hyena.
“The malicious techniques used in this campaign, including a specific type of backdoor implant and the use of Python function wrapping, show that the threat actor behind it is sophisticated and very careful to avoid detection,” security researcher Karlo Zanki said.
“The use of function wrapping and tools like the Global Socket Toolkit show that the threat actors behind it were also looking to establish long-term presence on compromised systems without being noticed.”
The findings also coincide with the discovery of a malicious npm package called “koishi‑plugin‑pinhaofa” that installs a data‑exfiltration backdoor in chatbots powered by the Koishi framework. The package is no longer available for download from npm.
“Marketed as a spelling‑autocorrect helper, the plugin scans every message for an eight‑character hexadecimal string,” security researcher Kirill Boychenko said. “When it finds one, it forwards the full message, potentially including any embedded secrets or credentials, to a hard-coded QQ account.”
“Eight character hex often represent short Git commit hashes, truncated JWT or API tokens, CRC‑32 checksums, GUID lead segments, or device serial numbers, each of which can unlock wider systems or map internal assets. By harvesting the whole message the threat actor also scoops up any surrounding secrets, passwords, URLs, credentials, tokens, or IDs.”
