Skip to content

Malicious PyPi packages found exploiting Instagram and TikTok APIs

  • by
  • 2 min read

Security researchers have discovered three malicious PyPI packages with thousands of downloads between them being used as validation tools. To find user accounts, these packages check stolen email addresses against TikTok and Instagram APIs.

The malicious packages have been promptly removed from PyPI. These included:

  • checker-SaGaF: 2,605 downloads, last updated on April 29, 2023
  • steinlurks: 1,049 downloads, last updated on March 1, 2025
  • sinnercore: 3,300 downloads, last updated on March 5, 2025

Security researchers from cybersec firm Socket spotted the packages and flagged all three as known malware. They have since been removed from the PyPI repositories.

All three packages work differently, but share the same goal. Checker-SaGaF exploits an internal API endpoint in TikTok’s private password recovery API to check whether or not any accounts associated with a specific email address exist on the platform. Stienlurks targets Instagram accounts and disguises its API requests as the Instagram Android app to evade detection.

This is an image of email on dark web socket
Database of 100,000 emails for sale on the dark web. | Source: Socket.

Finally, sinnercore also targets Instagram, but abuses the platform’s password resetting features to both validate accounts and harass users. It also silently collects as much open-source intelligence as it can, including user information and their profile bio.

The three packages aren’t harmful by themselves, but they enable hackers to verify email addresses and accounts, a critical first step to a multi-step exploitation process. Personal information, including email addresses, can be used to dox or spam your accounts and carry out fake report attacks. They can also be used to get accounts suspended, apart from confirming target accounts before a credential stuffing or phishing attack is carried out.

Socket also reports a database of 100,000 verified email accounts for sale on a dark web forum for $300, selling each email for as low as $0.003. Suppose you’ve recently seen password change request emails you did not initiate, or believe your account might be compromised. In that case, changing your passwords as soon as possible is recommended. Additionally, developers are recommended to limit the information in error messages responding to login attempts.

In the News: 23andMe sells customer genetic data to Regeneron pharma

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

How to download print google calendar? | candid. Technology

Chinese hackers are using Google Calendar to target governments

Illustration: jmiks | shutterstock

Fake AI software installers are spreading ransomware

This is an image of router vs wifi

ASUS routers hacked in mass backdoor campaign

This is an image of dark web hacker security

Victoria’s Secret website taken down after cyber attack

This is an image of spyware malware cybersecurity privacy featured 31

Virgin Media’s O2 network exposed customer phone locations

This is an image of malware featured security

Hackers caught using fake AI websites to spread malware

>