Popular PyPi Package Pirated Music from Deezer for Years: Here’s What to Know

  • Home » Popular PyPi Package Pirated Music from Deezer for Years: Here’s What to Know
Deezer
Featured News Latest News Recommended News Security , , , , ,

Popular PyPi Package Pirated Music from Deezer for Years: Here’s What to Know

A malicious PyPi package named automslc has been downloaded over 100,000 times from the Python Package Index (PyPI) since 2019. This package abused hard-coded credentials to pirate music from the Deezer streaming service. Deezer, a popular music streaming platform, offers access to over 90 million tracks, playlists, and podcasts. The package’s discovery has raised significant concerns about security and copyright violations.

malware-1024x683 Popular PyPi Package Pirated Music from Deezer for Years: Here’s What to Know

How automslc Operated

The automslc package used hard-coded Deezer account credentials to log into the service. Once logged in, it requested track metadata and extracted internal decryption tokens, specifically MD5_ORIGIN, which Deezer uses for URL generation. The script then used internal API calls to request full-length streaming URLs and retrieve the entire audio file, bypassing the 30-second preview Deezer allows for public access. The downloaded audio files were stored locally on the user’s device in a high-quality format, allowing offline listening and distribution.

Security and Legal Risks

The use of automslc posed significant security and legal risks. The package operated using command-and-control (C2) infrastructure, suggesting that the threat actor actively monitored and coordinated the piracy activity. This centralized control raised the risk of introducing more malicious behaviors in future updates. Users of the package were exposed to potential malware risks and legal repercussions for violating Deezer’s terms of service and copyright laws.

Discovery and Impact

Security firm Socket discovered the malicious package and found that it pirates music by hardcoding Deezer credentials to download media and scrape metadata from the platform. Despite its illegal functions, the package remained available for download from PyPI at the time of writing. The identities of the package creators remain unknown, but aliases “hoabt2” and “Thanh Hoa” were linked to various accounts and GitHub repositories.

Conclusion

The automslc package highlights the ongoing challenges in securing software repositories and protecting intellectual property. Users must remain vigilant and cautious when downloading and using third-party packages. The discovery of automslc serves as a reminder of the importance of cybersecurity and the need for continuous monitoring and enforcement of copyright laws.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it

Share this content:

Tag

Related Posts

Post Comment