Analysis Summary

A significant supply chain security incident has impacted the Python open-source community following the discovery of seven malicious packages on the Python Package Index (PyPI) by Researchers Team. The packages—Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb—were intricately designed to exploit Gmail’s Simple Mail Transfer Protocol (SMTP) service to establish covert command-and-control (C2) tunnels.

This abuse of Gmail’s infrastructure allowed the malware’s communication to appear as normal email traffic, thereby evading most firewall and endpoint detection systems. These packages used SSL-encrypted connections to Gmail servers, relying on hardcoded attacker-controlled credentials such as sphacoffin@gmail.com. Upon installation, the malware would send a confirmation message to another attacker mailbox, blockchain.bitcoins2020@gmail.com, signaling the implant’s activation.

It would then open a secure WebSocket channel to receive further instructions. Through this tunnel, attackers could exfiltrate sensitive data, execute arbitrary shell commands, harvest credentials, transfer files, and pivot deeper into compromised networks.

Each package showed minor code variations that suggested ongoing development and persistence. Coffin-Codes-Pro set the foundation, establishing the initial tunneling and communication mechanisms. Coffin-Codes-NET and NET2 used new Gmail accounts with slight code updates. Coffin-Codes-2022, Coffin2022, and Coffin-Grave largely mirrored the original package’s structure and behavior. The oldest among them, cfc-bsb, dated back to March 2021 and, while less overtly malicious, still posed significant security risks.

The packages have since been removed from PyPI, but their extended presence highlights the difficulty in detecting and mitigating threats in open-source ecosystems. Bitcoin and Solana-related references found in the code hint at connections to previous cryptocurrency-targeted attacks. This incident exemplifies the increasing sophistication of open-source supply chain attacks and underscores the urgent need for heightened vigilance and security practices throughout the software development lifecycle.

Impact

• Command Execution
• Data Exfiltration
• Credential Theft

Remediation

• Remove and uninstall any of the malicious packages if found: Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb.
• Check all Python packages being used especially ones from PyPI, for anything unusual or suspicious.
• Implement package integrity verification using hash checks or software composition analysis tools to detect unauthorized modifications.
• Monitor outgoing email traffic, particularly SMTP connections to Gmail servers, for unusual patterns or unauthorized activity.
• Block outbound SMTP traffic to public email providers from internal servers unless explicitly required for business purposes.
• Conduct threat hunting for indicators of compromise, including use of known attacker email addresses and unusual WebSocket activity.
• Rotate credentials and API keys on systems that may have been exposed to the affected packages.
• Isolate and reimage any systems showing signs of compromise or unexplained network behavior.
• Educate developers and DevOps teams on the risks of using unvetted third-party packages from open-source repositories.
• Consider using private package repositories or dependency allowlists to reduce exposure to untrusted sources.
• Regularly review and update software supply chain security policies to include detection, response, and prevention controls.