PyPi package with 100K installs pirated music from Deezer for years

A malicious PyPi package named 'automslc' has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service. Deezer is a music streaming service available in 180 countries that offers access to over 90 million tracks, playlists, and podcasts. It is offered via an ad-supported free tier or paid subscriptions that support higher audio quality and offline listening. Security firm Socket discovered the malicious package and found that it pirates music by hardcoding Deezer credentials to download media and scrape metadata from the platform. Even though piracy tools aren't commonly seen as malware, automslc uses command-and-control (C2) infrastructure for centralized control, potentially co-opting unsuspecting users into a distributed network. Moreover, the tool could be easily repurposed for other malicious activities, so its users are constantly exposed to risks. At the time of writing this ... Read full article.