Beware Of New Malicious PyPI Packages That Steal Wallet Passwords

Threat actors use malicious PyPI packages to infiltrate systems and execute various attacks like data exfiltration, ransomware deployment, or system compromise. 

By masquerading as legitimate Python libraries all these packages can easily bypass security measures. 

This allows it to infect the unsuspecting users’ environments and potentially cause widespread damage.

Cybersecurity researchers at ReversingLabs recently discovered new malicious PyPI packages that could steal crypto wallet passwords.

New Malicious PyPI Packages

ReversingLabs unveiled a malicious scheme spanning seven open-source packages on PyPI, with 19 variants, the earliest dating back to December 2022. 

This ‘BIPClip’ campaign aims to steal helpful phrases for crypto wallet recovery by joining the ranks of previous supply chain attacks like 3CX’s compromise

Cryptocurrency remains a coveted target, and threat actors employ deceptive tactics like malicious dependencies and name-squatting to evade detection.

The RL research team found 7 new malicious PyPI packages aiming to steal crypto wallet phrases while staying hidden.

This campaign targets developers handling cryptocurrency wallets, especially those using BIP39 for easy-to-remember wallet generation. BIP39 simplifies seed creation with mnemonic phrases, enhancing recall for wallet owners.

Crypto infrastructure and assets remain prime targets for supply chain strikes, from the Ledger Connect Kit breach diverting transactions to covert cryptominers in Python libraries and malicious crypto-related npm packages.

Allegedly, the North Korean threat actors have stolen up to $3 billion in crypto over five years; it’s a staggering 5% of their GDP.

ReversingLabs found two PyPI packages, mnemonic_to_address, and bip39_mnemonic_decrypt, collaborating to steal crypto wallet data. 

The bip39_mnemonic_decrypt raised suspicion with Base64 decoding and network usage. Besides this further investigation revealed mnemonic_to_address as a seemingly “clean” package with bip39_mnemonic_decrypt as a hidden malicious dependency.

Code example from eth-account documentation for generating an account from a mnemonic (Source – ReversingLabs)

The mnemonic_to_address package acts as a wrapper for function calls. However, it differs subtly by using decrypt_jsBIP39 which is a function that is not found in the eth-account package.

This function is imported from the bip39_mnemonic_decrypt module, where the mnemonic_to_address package passes the user’s mnemonic passphrase as an argument.

Code from mnemonic_to_address package calls the function from the malicious bip39_mnemonic_decrypt package (Source – ReversingLabs)

The bip39_mnemonic_decrypt package is the second in the campaign and is a dependency of mnemonic_to_address. 

ReversingLabs discovered clearly malicious functionality within it. Both packages were published by james_pycode, a newly created PyPI maintainer account, a common tactic in malicious campaigns. 

The account showed minimal effort to establish credibility. Sophisticated attackers often invest resources to mimic official pages in open-source repositories.

Threat actors stealthily hide malicious code in open-source packages. They concealed malware deep within dependencies to avoid detection during code audits. 

Fraudulent function names like “decrypt_jsBIP39” and “cli_keccak256” disguised malicious actions. The malware stealthily exfiltrated crypto wallet seeds, encoding them as “license” data. 

Though limited in scope, this supply chain attack exploited developers’ trust in open-source libraries. Vigilance in vetting third-party code and security assessments is crucial to prevent such threats from targeting the lucrative crypto ecosystem.

IOCs

IoC (Source – ReversingLabs)

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from the Indonesian…

7 hours ago

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…

8 hours ago

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…

9 hours ago

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…

9 hours ago

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

2 days ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

3 days ago