Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Cryptocurrency Wallets Targeted via Python Packages Uploaded to PyPI

Multiple Python packages referencing dependencies containing cryptocurrency-stealing code were published to PyPI.

Users of popular cryptocurrency wallets have been targeted in a supply chain attack involving Python packages relying on malicious dependencies to steal sensitive information, Checkmarx warns.

As part of the attack, multiple packages posing as legitimate tools for data decoding and management were uploaded to the PyPI repository on September 22, purporting to help cryptocurrency users looking to recover and manage their wallets.

“However, behind the scenes, these packages would fetch malicious code from dependencies to covertly steal sensitive cryptocurrency wallet data, including private keys and mnemonic phrases, potentially granting the attackers full access to victims’ funds,” Checkmarx explains.

The malicious packages targeted users of Atomic, Exodus, Metamask, Ronin, TronLink, Trust Wallet, and other popular cryptocurrency wallets.

To prevent detection, these packages referenced multiple dependencies containing the malicious components, and only activated their nefarious operations when specific functions were called, instead of enabling them immediately after installation.

Using names such as AtomicDecoderss, TrustDecoderss, and ExodusDecodes, these packages aimed to attract the developers and users of specific wallets and were accompanied by a professionally crafted README file that included installation instructions and usage examples, but also fake statistics.

In addition to a great level of detail to make the packages seem genuine, the attackers made them seem innocuous at first inspection by distributing functionality across dependencies and by refraining from hardcoding the command-and-control (C&C) server in them.

“By combining these various deceptive techniques — from package naming and detailed documentation to false popularity metrics and code obfuscation — the attacker created a sophisticated web of deception. This multi-layered approach significantly increased the chances of the malicious packages being downloaded and used,” Checkmarx notes.

Advertisement. Scroll to continue reading.

The malicious code would only activate when the user attempted to use one of the packages’ advertised functions. The malware would try to access the user’s cryptocurrency wallet data and extract private keys, mnemonic phrases, along with other sensitive information, and exfiltrate it.

With access to this sensitive information, the attackers could drain the victims’ wallets, and potentially set up to monitor the wallet for future asset theft.

“The packages’ ability to fetch external code adds another layer of risk. This feature allows attackers to dynamically update and expand their malicious capabilities without updating the package itself. As a result, the impact could extend far beyond the initial theft, potentially introducing new threats or targeting additional assets over time,” Checkmarx notes.

Related: Fortifying the Weakest Link: How to Safeguard Against Supply Chain Cyberattacks

Related: Red Hat Pushes New Tools to Secure Software Supply Chain

Related: Attacks Against Container Infrastructures Increasing, Including Supply Chain Attacks

Related: GitHub Starts Scanning for Exposed Package Registry Credentials

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.