Researchers have identified a malicious Python package named automslc on PyPI, enabling over 104,000 downloads. This package facilitates unauthorized music downloads from Deezer by embedding hardcoded credentials and bypassing access restrictions. automslc logs into Deezer, downloads full audio files, and communicates with a remote command-and-control server to manage downloads. Importantly, it violates Deezer's API terms, which forbid local or offline storage of complete tracks, exposing users to potential legal consequences.
"Although automslc, which has been downloaded over 100,000 times, purports to offer music automation and metadata retrieval, it covertly bypasses Deezer's access restrictions by embedding hardcoded credentials and communicating with an external command-and-control (C2) server."
"Deezer's API terms forbid the local or offline storage of complete audio content, but by downloading and decrypting entire tracks, automslc bypasses this limitation, potentially placing users at risk of legal repercussions."
Collection
[
|
...
]