https://socket.dev/blog/malicious-pypi-package-exploits-deezer-api-for-coordinated-music-piracy
A PyPi package named ‘automslc,’ downloaded over 100,000 times since 2019, has been pirating music from the Deezer streaming service using hardcoded credentials.
The package bypasses Deezer’s limitations and downloads full-length, high-quality audio files for offline listening and distribution, violating Deezer’s terms of service and copyright laws.
Security firm Socket discovered the package, noting that while it functions as a piracy tool, it also utilizes command-and-control infrastructure, potentially turning users into a distributed network.
This raises concerns about the potential for the tool to be repurposed for other malicious activities.
The package remains available on PyPi at the time of reporting, and users are warned of the legal risks associated with its use.