Cybersecurity researchers have discovered a set of malicious Python packages uploaded to the Python Package Index (PyPI) that were designed to verify stolen email addresses against TikTok and Instagram APIs. These packages posed as tools to check whether specific email addresses were linked to existing accounts on the platforms.
All three packages have since been removed from PyPI. The names and download counts of the packages are as follows:
- checker-SaGaF – 2,605 downloads
- steinlurks – 1,049 downloads
- sinnercore – 3,300 downloads
According to an analysis by a Socket researcher, checker-SaGaF functioned by sending HTTP POST requests to TikTok’s password recovery API and Instagram’s login endpoints. This allowed it to determine if an email address was linked to an active account on either platform.
“Once cybercriminals have this kind of validated email information, they can carry out a range of malicious activities,” the Socket researcher explained. “This includes doxing, spam, fake reporting to get accounts suspended, or launching credential stuffing and password spraying attacks. Verified lists of active users can also be sold on the Dark Web for profit. What seems like a simple email verification tool can actually fuel extensive attack campaigns and reduce detection rates by only targeting known-valid accounts.”
The second package, steinlurks, similarly targeted Instagram users by simulating the behavior of the Instagram Android app. It sent forged POST requests to multiple Instagram API endpoints to bypass security detection:
- i.instagram[.]com/api/v1/users/lookup/
- i.instagram[.]com/api/v1/bloks/apps/com.bloks.www.caa.ar.search.async/
- i.instagram[.]com/api/v1/accounts/send_recovery_flow_email/
- www.instagram[.]com/api/v1/web/accounts/check_email/
The third package, sinnercore, was focused on initiating the “forgot password” process for specific usernames. It targeted the endpoint b.i.instagram[.]com/api/v1/accounts/send_password_reset/ using fake HTTP requests containing the usernames of intended victims.
These packages highlight the ongoing abuse of open-source repositories like PyPI to distribute tools for reconnaissance and exploitation in broader cybercriminal operations.