PyPi package with 100K installs pirated music from Deezer for years

A malicious PyPi package named ‘automslc’  has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.

Deezer is a music streaming service available in 180 countries that offers access to over 90 million tracks, playlists, and podcasts. It is offered via an ad-supported free tier or paid subscriptions that support higher audio quality and offline listening.

Security firm Socket discovered the malicious package and found that it pirates music by hardcoding Deezer credentials to download media and scrape metadata from the platform.

Even though piracy tools aren’t commonly seen as malware, automslc uses command-and-control (C2) infrastructure for centralized control, potentially co-opting unsuspecting users into a distributed network.

Moreover, the tool could be easily repurposed for other malicious activities, so its users are constantly exposed to risks.

At the time of writing this, automslc is still available for download from PyPI.

Pirating Deezer music

The malicious package contains hardcoded Deezer account credentials to log in to the service or uses those supplied by the user to create an authenticated session with the service’s API.

Once logged in, it requests track metadata and extracts internal decryption tokens, specifically ‘MD5_ORIGIN,’ which Deezer uses for URL generation.

Next, the script uses internal API calls to request full-length streaming URLs and retrieve the entire audio file, bypassing the 30-second preview Deezer allows for public access.

The downloaded audio files are stored locally on the user’s device in a high-quality format, allowing offline listening and distribution.

This violates both Deezer’s terms of service and copyright laws, putting users at risk without their knowledge.

The automslc package can repeatedly request and download tracks without restriction, effectively allowing mass-scale piracy.

As for who is behind the package, Socket identified aliases “hoabt2” and “Thanh Hoa” on various accounts and GitHub repositories, but their identities are unknown.

If you are using automslc as a standalone tool or as part of a software project, know that the tool is allowing illegal activity and could land you in trouble.

The C2-oriented operation suggests that the threat actor is actively monitoring and coordinating the piracy activity rather than simply providing a passive piracy tool, which raises the risk of introducing more malicious behaviors in future updates.