May 21, 2025 – Cybersecurity researchers have discovered a new method hackers are using to verify stolen account information. Malicious Python packages uploaded to the Python Package Index (PyPI) are being used to exploit TikTok and Instagram’s internal APIs, allowing attackers to confirm whether stolen email addresses are linked to real accounts.
The packages—named checker-SaGaF, steinlurks, and sinnercore—tap into private API endpoints originally intended for password recovery and account support. By abusing these internal tools, attackers can confirm which stolen credentials are active, significantly improving the success rate of later attacks.
“Checkers are an integral first step in many exploit chains,” noted the report. “With confirmation that an email is linked to an active account, attackers can proceed with doxing, spamming, fake report attacks, or credential stuffing.”
How the Exploit Works
These malicious Python packages interface with hidden or undocumented API endpoints on both TikTok and Instagram. While the code appears normal at first glance, it contains functionality that mimics how real users would interact with the platforms, using their recovery systems to test for valid accounts.
The most advanced tool, steinlurks, uses up to five different methods to check Instagram account status. It rotates between these techniques randomly to avoid triggering anti-bot systems.
One example is a function designed to create randomized user-agent strings, making each request look like it’s coming from a different mobile device:
def generate_user_agent():
"""Generate a random user agent string."""
ii = ["165.1.0.29.119", "166.0.0.30.120", "167.0.0.31.121", "168.0.0.32.122"]
user_agent = (
f"Instagram {random.choice(ii)} Android "
f"(... device specs ...)"
)
return user_agent
This helps the malware blend in with normal traffic patterns and avoid detection by traditional security tools. By spreading requests across multiple Instagram API endpoints—such as the password recovery URL and the user lookup function—these packages ensure continued operation even if one method is blocked.
Growing Risk of Supply Chain Attacks
Researchers from Socket.dev, who discovered the packages during routine scans, warned that these tools reflect a growing trend in supply chain attacks. Instead of hacking users directly, attackers plant dangerous packages in trusted software ecosystems, where they can be unknowingly downloaded by developers or used in wider attack chains.
These checkers are particularly dangerous because they turn lists of stolen email addresses into verified targets. This improves efficiency for credential stuffing attacks and phishing campaigns while making detection harder for security teams.
Security experts recommend developers and organizations use automated tools to scan open-source packages before installation and avoid downloading packages with little to no community vetting or documentation.
