FortiGuard Labs Threat Research

Supply Chain Attack via New Malicious Python Packages by Malware Author Core1337

By Jin Lee | February 08, 2023

The FortiGuard Labs team recently discovered several new 0-day attacks in the PyPI packages (Python Package Index) by malware author ‘Core1337’, who published the following packages: ‘3m-promo-gen-api’, ‘Ai-Solver-gen’, ‘hypixel-coins’, ‘httpxrequesterv2’, and ‘httpxrequester’. These attacks were published between January 27 to January 29, 2023. Each package had one version and an empty description, and all contained similar malicious code. For brevity, this blog will examine the ‘3m-promo-gen-api’ package as representative of the entire set.

Figure 1: Author information

Figure 2: Empty project description of ‘3m-promo-gen-api’

Figure 3: Package release history of ‘3m-promo-gen-api’


The first thing we notice in its is what looks like a webhook URL:


Each package includes similar code in their except for the webhook URL. Examining the URL shows it may be related to a “Spidey Bot” malware known to steal personal information through Discord, as seen in our previous blog about the package web3-essential.

Figure 4: Webhook URL in

Figure 5: Content of the webhook URL

When we perform a static analysis by looking through its script, we spot several potential malicious behaviors, described below. Note that all the figures are from

Looking at the primary function, we get a general idea of malware behavior that may try to retrieve sensitive information from different browsers and Discord and save it to a file for exfiltration.


Figure 6: Main function ‘GatherAll’

Let’s look at the ‘getPassw’ function, for example. Below, it attempts to gather user and password information from the browsers listed in Figure 6 and then save it to a text file. The list of websites in Figure 8 may be used for retrieving the information mentioned earlier. We also see that the malware names itself ‘Fade Stealer,’ which can be seen when it writes its name at the top of its text file. Similar behavior is found in its ‘getCookie’ function.

Figure 7: Function ‘getPassw’

Figure 8: List of websites the malware takes an interest in retrieving sensitive information

Figure 9: Malware names itself ‘Fade Stealer’

Looking at the ‘upload’ function, we can see clear clues about what it may do, such as using the webhook URL to steal files and data, as discussed above. 

Figure 10: Snippets of code of the ‘upload’ function

From the functions ‘Kiwi’, ‘KiwiFile’, and ‘uploadToAnonfiles’, we can safely assume that it looks through specific folders and picks up specific file names for file transfer through the file-sharing site ‘’. Many of these keywords are related to logins, accounts, banks, etc.

Figure 11: Kiwi function shows a list of keywords of interest

Figure 12: KiwiFile function retrieves file names of keywords for upload

Figure 13: uploadToAnonfiles function uploads retrieved files to a file-sharing site


In this blog, a single malware author published several packages with entirely different names but with similar codes designed to launch attacks. The malware authors can execute malicious attacks with a single python script, such as stealing sensitive information using webhooks on Discord.

Fortinet Protections

FortiGuard Labs notified Python Package Index administrators about this malicious package, and they have confirmed that it has been taken down.

FortiGuard AntiVirus detects the malicious scripts identified in this report as Python/Agent.DC4D!tr.pws

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.

The FortiGuard Web Filtering Service detects the download URLs cited in this report as Malicious and blocks them.

If you think this or any other cybersecurity threat has impacted you, contact our Global FortiGuard Incident Response Team

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.



Malicious URLs