Malicious PyPI Package Exploited Deezer's API, Orchestrates a Distributed Piracy Operation (socket.dev) 20
A malicious PyPi package effectively turned its users' systems "into an illicit network for facilitating bulk music downloads," writes The Hacker News.
Though the package has been removed from PyPI, researchers at security platform Socket.dev say it enabled "coordinated, unauthorized music downloads from Deezer — a popular streaming service founded in France in 2007." Although automslc, which has been downloaded over 100,000 times, purports to offer music automation and metadata retrieval, it covertly bypasses Deezer's access restrictions... The package is designed to log into Deezer, harvest track metadata, request full-length streaming URLs, and download complete audio files in clear violation of Deezer's API terms... [I]t orchestrates a distributed piracy operation by leveraging both user-supplied and hardcoded Deezer credentials to create sessions with Deezer's API. This approach enables full access to track metadata and the decryption tokens required to generate full-length track URLs.
Additionally, the package routinely communicates with a remote server... to update download statuses and submit metadata, thereby centralizing control and allowing the threat actor to monitor and coordinate the distributed downloading operation. In doing so, automslc exposes critical track details — including Deezer IDs, International Standard Recording Codes, track titles, and internal tokens like MD5_ORIGIN (a hash used in generating decryption URLs) — which, when collected en masse, can be used to reassemble full track URLs and facilitate unauthorized downloads...
Even if a user pays for access to the service, the content is licensed, not owned. The automslc package circumvents licensing restrictions by enabling downloads and potential redistribution, which is outside the bounds of fair use...
"The malicious package was initially published in 2019, and its popularity (over 100,000 downloads) indicates wide distribution..."
Though the package has been removed from PyPI, researchers at security platform Socket.dev say it enabled "coordinated, unauthorized music downloads from Deezer — a popular streaming service founded in France in 2007." Although automslc, which has been downloaded over 100,000 times, purports to offer music automation and metadata retrieval, it covertly bypasses Deezer's access restrictions... The package is designed to log into Deezer, harvest track metadata, request full-length streaming URLs, and download complete audio files in clear violation of Deezer's API terms... [I]t orchestrates a distributed piracy operation by leveraging both user-supplied and hardcoded Deezer credentials to create sessions with Deezer's API. This approach enables full access to track metadata and the decryption tokens required to generate full-length track URLs.
Additionally, the package routinely communicates with a remote server... to update download statuses and submit metadata, thereby centralizing control and allowing the threat actor to monitor and coordinate the distributed downloading operation. In doing so, automslc exposes critical track details — including Deezer IDs, International Standard Recording Codes, track titles, and internal tokens like MD5_ORIGIN (a hash used in generating decryption URLs) — which, when collected en masse, can be used to reassemble full track URLs and facilitate unauthorized downloads...
Even if a user pays for access to the service, the content is licensed, not owned. The automslc package circumvents licensing restrictions by enabling downloads and potential redistribution, which is outside the bounds of fair use...
"The malicious package was initially published in 2019, and its popularity (over 100,000 downloads) indicates wide distribution..."
So it has gotten _that_ easy? (Score:2)
It has gotten easy enough to make a supply-chain attack on Python that it is worthwhile just downloading music with it? That is a pathetic state of affairs.
Re: (Score:2)
How is it a supply chain attack?
Nothing was attacked.
Did someone go in and change an existing Python package? No.
Re: (Score:2)
This is a supply chain attack. You just do not know the definition of that therm.
Re: (Score:2)
Nothing has been attacked.
The python package did what it claimed
It was specifically designed to allow access to the Deezer API and bypass its intended use. I would say bypass restrictions, but security though obscurity isn't really a restriction.
Re: (Score:2)
Learn to read. Seriously.
Re: (Score:2)
A supply chain attack is a type of cyberattack that targets a trusted third-party vendor who offers services or software vital to the supply chain.
Software supply chain attacks inject malicious code into an application in order to infect all users of an app, while hardware supply chain attacks compromise physical components for the same purpose.
Historically, supply chain attacks have referred to attacks against trusted relationships, in which an unsecure supplier in a chain is attacked in order to gain acce
Re: (Score:2)
https://en.wikipedia.org/wiki/... [wikipedia.org]
Do you see "trusted third-party vendor" anywhere in there?
So... (Score:2)
It's youtube-dl with extra steps? Seems complicated. Why not just use youtube-dl?
Re: (Score:1)
Re: (Score:3)
you might be being sarcastic here, but those extra steps involve getting loads of users to unknowingly use youtube-dl for you by tainting the official central component distribution platform for python, which is known as a supply chain attack.
Re: (Score:2)
Exactly. You don't need to do all that when you can just download the (reasonably high-quality, though not FLAC) music files from youtube just by grabbing the playlist (or you can write a quick script to grab all the playlists from an artist and download them).
Re: (Score:2)
ok, so you were not being sarcastic :) my assumption was that deezer carries content that is not regularly available on youtube, but it's quite possible that i'm wrong about that. then again, even if the same content is on youtube, there may still be incentive or profit in offering it in a more streamlined way or, as has been pointed out, maybe at higher quality.
another interesting bit is that 54.39.49.17 seems to be in quebec and deezer is a french service, maybe there's content of interest specifically to
Re: (Score:2)
Tongue-in-cheek was the order of the day. To be completely honest, I tend to buy my music through Bandcamp these days. It's not all that expensive, I get nice FLAC files, and no one has to screw around with making CDs that will eventually get lost next time I move houses anyway.
Even super obscure bands typically have their content on Youtube, in the form of "uploaded by vevo" (or whatever other record label rights manager they use) which is all nicely packaged in playlists.
Re: (Score:2)
Downloading from Youtube isn't as easy as it sounds when your in North Korea.
Python SOP (Score:2)
Rapidly becoming the Wordpress of dev languages....
Re: (Score:2)
Rapidly becoming the Wordpress of dev languages....
That's the final state of any central non-curated software repository. Be it cargo, CPAN, pip...
And I am not advocating for Apple or Google walled gardens, just for a web of trust.
Re: (Score:2)
Another big one in the news was npm.
The Recording Artists that Cried Wolf. (Score:1)
This sounds like a lot of fearmongering, its literally a webscraper, and they're pretending a web scraper is "malicious" not because it was used for piracy, and not even alleging any copyright infringement actually took place, but because they used "metadata" without a license.
Ironically I'm fairly certain that such metadata is already forbidden under the EU Digital Services Act in the first place, but we all know that its really just a tool to extract money from businesses, just like this was used to justi