Wednesday, May 7, 2025
HomecryptocurrencyBeware Of New Malicious PyPI Packages That Steal Wallet Passwords

Beware Of New Malicious PyPI Packages That Steal Wallet Passwords

Published on

SIEM as a Service

Follow Us on Google News

Threat actors use malicious PyPI packages to infiltrate systems and execute various attacks like data exfiltration, ransomware deployment, or system compromise. 

By masquerading as legitimate Python libraries all these packages can easily bypass security measures. 

This allows it to infect the unsuspecting users’ environments and potentially cause widespread damage.

- Advertisement - Google News

Cybersecurity researchers at ReversingLabs recently discovered new malicious PyPI packages that could steal crypto wallet passwords.

New Malicious PyPI Packages

ReversingLabs unveiled a malicious scheme spanning seven open-source packages on PyPI, with 19 variants, the earliest dating back to December 2022. 

This ‘BIPClip’ campaign aims to steal helpful phrases for crypto wallet recovery by joining the ranks of previous supply chain attacks like 3CX’s compromise

Cryptocurrency remains a coveted target, and threat actors employ deceptive tactics like malicious dependencies and name-squatting to evade detection.

The RL research team found 7 new malicious PyPI packages aiming to steal crypto wallet phrases while staying hidden.

This campaign targets developers handling cryptocurrency wallets, especially those using BIP39 for easy-to-remember wallet generation. BIP39 simplifies seed creation with mnemonic phrases, enhancing recall for wallet owners.

Crypto infrastructure and assets remain prime targets for supply chain strikes, from the Ledger Connect Kit breach diverting transactions to covert cryptominers in Python libraries and malicious crypto-related npm packages.

Allegedly, the North Korean threat actors have stolen up to $3 billion in crypto over five years; it’s a staggering 5% of their GDP.

ReversingLabs found two PyPI packages, mnemonic_to_address, and bip39_mnemonic_decrypt, collaborating to steal crypto wallet data. 

The bip39_mnemonic_decrypt raised suspicion with Base64 decoding and network usage. Besides this further investigation revealed mnemonic_to_address as a seemingly “clean” package with bip39_mnemonic_decrypt as a hidden malicious dependency.

Code example from eth-account documentation for generating an account from a mnemonic (Source – ReversingLabs)

The mnemonic_to_address package acts as a wrapper for function calls. However, it differs subtly by using decrypt_jsBIP39 which is a function that is not found in the eth-account package.

This function is imported from the bip39_mnemonic_decrypt module, where the mnemonic_to_address package passes the user’s mnemonic passphrase as an argument.

Code from mnemonic_to_address package calls the function from the malicious bip39_mnemonic_decrypt package (Source – ReversingLabs)

The bip39_mnemonic_decrypt package is the second in the campaign and is a dependency of mnemonic_to_address. 

ReversingLabs discovered clearly malicious functionality within it. Both packages were published by james_pycode, a newly created PyPI maintainer account, a common tactic in malicious campaigns. 

The account showed minimal effort to establish credibility. Sophisticated attackers often invest resources to mimic official pages in open-source repositories.

Threat actors stealthily hide malicious code in open-source packages. They concealed malware deep within dependencies to avoid detection during code audits. 

Fraudulent function names like “decrypt_jsBIP39” and “cli_keccak256” disguised malicious actions. The malware stealthily exfiltrated crypto wallet seeds, encoding them as “license” data. 

Though limited in scope, this supply chain attack exploited developers’ trust in open-source libraries. Vigilance in vetting third-party code and security assessments is crucial to prevent such threats from targeting the lucrative crypto ecosystem.

IOCs

IoC (Source – ReversingLabs)

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

NSO Group Ordered to Pay $168 Million to WhatsApp in US Spyware Verdict

A federal jury in California has ordered Israeli spyware maker NSO Group to pay...

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...