this post was submitted on 02 Mar 2025
69 points (97.3% liked)

Technology

63729 readers
3669 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s
enu
technopagan
L4s
69
Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads (thehackernews.com)
submitted 1 day ago by [email protected] to c/technology
7 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[โ€“] n0xew 8 points 1 day ago* (last edited 1 day ago) (1 children)

I agree the article isn't super clear. Reading it twice, it seems that the user credentials are exfiltrated to the C2 server (only the screenshot implies it), which definitely would be malicious.

Also a possible interpretation could be that the package advertised "just" some automations (e.g. export playlists to m3u?) and getting music metadata, whereas it was actually downloading musics locally unbeknownst to the user. Then exfiltrating the music back to the C2 server, effectively using the package's users to mass pirate musics without exposing the pirates directly. That would indeed be malicious, especially if the package did not advertise any content downloading.

But for the last paragraph I'm extrapolating on the few info this article gives without making much sense..

EDIT: from the original article here https://socket.dev/blog/malicious-pypi-package-exploits-deezer-api-for-coordinated-music-piracy it does not seem that the musics are downloaded on the user systems then extracted to the C2 server, but rather all that's necessary to build the download urls, including tokens tied to the victims' account.

[โ€“] kiagam 6 points 1 day ago

I see, makes sense, so the problem is that the user tokens are collected without knowledge and could be used for pirating