Beware of sneaky PyPI Python packages draining your crypto wallets

1 min read


Threat hunters discovered seven Python packages on PyPI designed to steal BIP39 mnemonic phrases for crypto wallets. The campaign, named BIPClip, targeted developers working on crypto projects. The packages were downloaded over 7,000 times before removal from PyPI.

Detailed Article:

In a recent discovery, threat hunters found seven Python packages on the PyPI repository that were created to steal BIP39 mnemonic phrases used for recovering private keys of cryptocurrency wallets. This software supply chain attack campaign, named BIPClip by ReversingLabs, targeted developers working on projects related to generating and securing cryptocurrency wallets. The packages were collectively downloaded 7,451 times before being removed from PyPI.

One of the key elements of this discovery was that one of the packages, mnemonic_to_address, was devoid of any malicious functionality on its own. Instead, it listed bip39-mnemonic-decrypt as its dependency, which contained the malicious component. This tactic was likely used to avoid detection, as the imported module and invoked function were carefully chosen to mimic legitimate functions, making it harder to detect suspicious activity.

The BIPClip campaign also included other packages like public-address-generator and erc20-scanner, which operated in a similar fashion to steal mnemonic phrases. The campaign had been active since at least December 4, 2022, and aimed at compromising crypto wallets to steal the cryptocurrencies they contained. The threat actors behind the campaign were careful in crafting the packages to look less suspicious and focused solely on compromising crypto wallets.

This discovery underscores the security threats that exist within open-source package repositories like PyPI. The use of legitimate services such as GitHub as a conduit to distribute malware further complicates the situation. Abandoned projects are also becoming attractive vectors for threat actors to seize control of developer accounts and publish trojanized versions for large-scale supply chain attacks.

Overall, this incident highlights the importance of vigilance in the cybersecurity space, especially when dealing with open-source software and repositories. Developers and organizations need to be proactive in securing their systems and regularly monitor for any signs of malicious activity to prevent such attacks in the future.

Previous Story

Darknet drama: Market admin blackmails buyers, threatens police exposure for ransom

Next Story

CISA offline after Ivanti alert, own systems compromised

Latest from News