7 Malicious PyPI Packages Abuse Gmail’s SMTP Protocol to Execute Malicious Commands
A highly advanced software supply chain attack has been uncovered, which exploits Python Package Index (PyPI) repositories to spread malware. This attack uses Google’s SMTP infrastructure as a covert command-and-control (C2) channel. The campaign distributed seven malicious packages— Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave , and cfc-bsb —which collectively exceeded 55,000 downloads before being taken down. Advanced Communication Method These malicious packages establish an SMTP connection to Gmail’s servers using embedded credentials. Through this, a two-way communication tunnel is formed, allowing attackers to run remote commands and extract data from compromised systems. This method is particularly stealthy, as SMTP traffic typically bypasses firewall and endpoint defenses due to its appearance as normal outbound email communication. The Coffin-Codes-Pro package exemplifies this attack. Once the initial SMTP connect...