Be careful when downloading Python packages from PyPI – researchers have found some are malicious and looking to steal your cryptocurrency haul.
Cybersecurity researchers from ReversingLabs recently discovered seven such packages, whose goal is to steal BIP39 mnemonic phrases from its victims.
A cryptocurrency wallet is secured in two ways: with a password, and with a mnemonic phrase (a set of either 12 or 24 seemingly random words). When a user sets up a wallet, they generate a mnemonic phrase and a password. A password is used to log into the wallet, while the mnemonic phrase is used to restore the wallet, in case it needed to be installed on a different device or hardware wallet.
BIPClip has been in operation for over a year
By stealing the phrases, hackers would be able to load other people’s wallets onto their own devices, essentially getting unrestricted access to the funds.
Cumulatively, the packages were downloaded almost 7,500 times, before the researchers notified PyPI and the malware was removed. These are their names, so make sure you haven’t downloaded them:
jsBIP39-decrypt (126 downloads)
bip39-mnemonic-decrypt (689 downloads)
mnemonic_to_address (771 downloads)
erc20-scanner (343 downloads)
public-address-generator (1,005 downloads)
hashdecrypt (4,292 downloads)
hashdecrypts (225 downloads)
ReversingLabs dubbed the campaign BIPClip, and claim it kicked off in early December 2022.
“This is just the latest software supply chain campaign to target crypto assets,” security researcher Karlo Zanki said in a report shared with TheHackerNews. “It confirms that cryptocurrency continues to be one of the most popular targets for supply chain threat actors.”
PyPI, being one of the largest and most popular Python package repositories on the internet, is often the target of supply chain attacks. Hackers frequently impersonate legitimate packages, trying to trick developers into downloading malicious versions which exfiltrate their sensitive data and deploy malware and ransomware. At one point last year, PyPl was forced to suspend new projects and user sign-ups following a flood of malware.