Malicious PyPi Package Conceals RAT Malware Targeting Discord Developers Since 2022

A malicious Python package designed to target Discord developers with remote access trojan (RAT) malware has been discovered on the Python Package Index (PyPI) after being active for over three years. Identified as “discordpydebug,” this package posed as an error logging utility intended for developers working on Discord bots. It has been downloaded over 11,000 times since its upload date of March 21, 2022, despite lacking any description or documentation.

The cybersecurity firm Socket, which uncovered the threat, highlights that this malware could allow attackers to backdoor Discord developers’ systems, enabling capabilities related to data theft and remote execution of code. The package specifically aimed at developers who create or maintain Discord bots, including independent developers, automation engineers, and small teams that may install such tools without thorough scrutiny.

The absence of rigorous security audits for uploaded packages on PyPI permits malicious actors to exploit this weakness by using misleading descriptions and legitimate-sounding names or even replicating code from well-known projects to gain trust.

Once the malicious package is installed, it converts the device into a remote-controlled machine capable of executing instructions transmitted from a command-and-control (C2) server operated by attackers. The malware’s functionality encompasses unauthorized access to sensitive credentials such as tokens, keys, and configuration files, as well as data theft and monitoring of system activity undetected. Furthermore, the malware can execute remote code to deploy additional malicious payloads and gather intelligence for lateral movement within the network.

The malware does not exhibit persistence or privilege escalation mechanisms; rather, it utilizes outbound HTTP polling over inbound connections, thereby allowing it to circumvent firewalls and security software—especially in environments that are loosely controlled.

Upon installation, the infected machine makes a silent connection to an attacker-controlled C2 server, sending a POST request with a “name” value to register the compromised host in the attackers’ infrastructure. The malicious package also includes functionalities that enable it to read and write files on the host machine using JSON operations when prompted by specific keywords from the C2 server, providing the threat actors visibility into sensitive information.

To minimize the likelihood of inadvertently installing backdoored malware from online repositories, software developers should verify that any packages downloaded and installed originate from trusted sources. Particularly for popular tools, ensuring they are obtained from the official author is critical to avoiding risks associated with typosquatting. Additionally, when integrating open-source libraries, developers should conduct thorough code reviews to identify any suspicious or obfuscated functions and consider employing security tools designed to detect and block harmful packages.