Signed Pypi package “AutomSlc” enables 104K+ unauthorized deezer music downloads

February 26, 2025Ravie LakshmananMalware / cryptocurrency

Cybersecurity researchers have marked a malicious Python library in the Python Package Index (PYPI) -Pepository with the Python Package Index, which facilitates non -authorized music downloads from Music Streaming Service Deezer.

The package in question is AutomSLC, which has so far downloaded over 104,000 times. Published for the first time in May 2019, it remains available for writing on Pypi.

“Although Automslc, which has been downloaded over 100,000 time, purports music automation and metadata retrieval, it coverly bypasses deezer's Access restrictions by embedding credentials and communicating with an external command-constrol (C2) Server, “Socket Security Researcher Kirill Boychenko said in a report published today.

In particular, the package is designed in such a way that you register on the French music streaming platform via user-supplied and hard-encoded login information, collect track-related metadata and download complete audio files in violation of Deezer's API terms.

The package also regularly communicates with a remote server under “54.39.49)[.]17: 8031 ​​”To present updates of the download status, whereby the threat actor is taken over the central control over the coordinated music piracy surgery.

In other words, AutomSLC effectively transforms the systems of package users into an illegal network to enable the downloads of mass music in an unauthorized manner. The IP address is assigned to a domain called “Automatusic”[.]Win, “what is to be used by the threat player to monitor the distributed download.

“The API terms from Deezer prohibit the local or offline storage of complete audio content, but by downloading and decrypting entire tracks by means of this restriction and may issue the risk of legal effects from users,” said Boychenko.

The disclosure comes when the safety company of the software supply chain described a Rogue NPM package called @ton-wallet/create, which stolen mnemonic phrases of unsuspecting users and developers in the sound ecosystem and at the same time the legitimate @tone/sound package output.

The package, which was first published in the NPM registration in August 2024, has so far attracted 584 downloads. It remains available for download.

The malicious functionality embedded in the library can extract the process. The information is transferred to a telegrambot controlled by attackers.

“This attack represents serious risks to the safety of the supply chain and aims at developers and users to integrate the tons of items into their applications,” said Socket. “Regular dependency tests and automated scan tools should be used to identify anomal or malicious behaviors in parcels of third-party providers before they are integrated into production environments.”