Published on March 13, 2024, 8:30 pm

Title: Caution Urged As Malicious Python Packages Target Cryptocurrency Holders Via Pypi

Be cautious when downloading Python packages from PyPI as researchers have identified some that are malicious and aim to steal cryptocurrency holdings.

Recently, cybersecurity experts from ReversingLabs unearthed seven packages designed to pilfer BIP39 mnemonic phrases from unsuspecting victims. Securing a cryptocurrency wallet involves both a password and a mnemonic phrase—either 12 or 24 random words. Upon wallet creation, users generate a mnemonic phrase and a password; the password is used for login, while the mnemonic phrase serves as a backup to restore the wallet on another device.

By stealing these phrases, hackers could gain access to other individuals’ wallets, enabling them to transfer funds freely. Alarmingly, these packages were downloaded nearly 7,500 times before being reported to PyPI and the malware removed. Here are the package names: jsBIP39-decrypt (126 downloads), bip39-mnemonic-decrypt (689 downloads), mnemonic_to_address (771 downloads), erc20-scanner (343 downloads), public-address-generator (1,005 downloads), hashdecrypt (4,292 downloads), and hashdecrypts (225 downloads).

The campaign was named BIPClip by ReversingLabs and allegedly began in early December 2022. Security expert Karlo Zanki highlighted that supply chain attacks targeting crypto assets are increasingly common due to the widespread allure of cryptocurrencies among threat actors.

PyPI, a leading Python package repository online, frequently faces such supply chain threats. Hackers often masquerade as legitimate packages to deceive developers into downloading versions that compromise their data security or distribute malware and ransomware. In the past year, PyPI even had to halt new projects and user sign-ups due to an influx of malware incidents.


Comments are closed.