Cybersecurity experts have uncovered a new attack method where threat actors deploy malicious Python packages that exploit internal APIs
of social media platforms to verify stolen credentials.
These packages, published on the Python Package Index (PyPI), specifically target TikTok and Instagram. They allow attackers to check whether stolen email addresses correspond to actual accounts on these platforms. The malicious packages, known as checker-SaGaF, steinlurks, and sinnercore, interact programmatically with private API endpoints originally designed for legitimate password recovery and account management.
By abusing these endpoints, attackers can systematically process lists of potentially compromised email addresses and confirm which ones are linked to active accounts.
This validation step is crucial in attack chains as it enables threat actors to focus only on confirmed accounts, reducing the risk of detection while increasing their chances of success.
“Checkers are an essential first step in many exploit chains,” the analysis report explains.
“Once threat actors have this information from an email address, they can threaten to dox or spam, carry out fake report attacks to suspend accounts, or simply confirm targets before launching credential stuffing or password spraying attacks.”
Researchers from Socket.dev observed that these malicious packages use advanced techniques to avoid detection.
At first glance, the packages appear legitimate but contain code that interacts directly with TikTok and Instagram’s internal API endpoints in ways not intended for public use.
Methods used
The most advanced package, steinlurks, uses five different methods to check Instagram accounts. It randomly cycles through these methods to avoid triggering anti-abuse systems. This includes generating randomized mobile User-Agent strings that imitate the Instagram Android app. By dynamically creating different identifiers for each request, the malware greatly reduces its chances of being detected by traditional pattern matching. This approach ensures that if one method is blocked, others remain accessible, showing the attacker’s deep knowledge of both platform architecture and security defenses.
This discovery highlights the increasing sophistication of supply chain attacks targeting developer ecosystems. Attackers are exploiting trusted repositories to distribute tools that turn stolen data into actionable intelligence for further exploitation.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
