Be careful when downloading Python packages from PyPI – researchers have discovered that some are malicious and want to steal your cryptocurrency collection.
Cybersecurity researchers at ReversingLabs recently discovered seven such packages, the purpose of which is to steal BIP39 mnemonics from victims.
A cryptocurrency wallet is secured in two ways: with a password and with a mnemonic (a string of 12 or 24 seemingly random words). When a user sets up a wallet, it generates a reminder and a password. A password is used to log into the wallet, while the mnemonic is used to restore the wallet, in case it needs to be installed on another device or hardware wallet.
BIPClip has been in business for over a year
By stealing the phrases, hackers could load others’ wallets onto their own devices, essentially giving them unlimited access to the funds.
Cumulatively, the packages were downloaded nearly 7,500 times before researchers notified PyPI and the malware was removed. Here are their names, so make sure you haven’t downloaded them:
jsBIP39-decrypt (126 downloads)
bip39-mnemonic-decrypt (689 downloads)
mnemonic_to_address (771 downloads)
erc20 scanner (343 downloads)
public-address-generator (1,005 downloads)
hashdecrypt (4,292 downloads)
hashdecrypts (225 downloads)
ReversingLabs called the campaign BIPClip and claims it launched in early December 2022.
“This is just the latest software supply chain campaign to target crypto assets,” security researcher Karlo Zanki said in a report shared with The HackerNews. “It confirms that cryptocurrency remains one of the most popular targets for supply chain actors.”
PyPI, one of the largest and most popular Python package repositories on the Internet, is often the target of supply chain attacks. Hackers often impersonate legitimate packages and try to trick developers into downloading malicious versions that exfiltrate their sensitive data and deploy malware and ransomware. At one point last year, PyPl was forced to suspend new projects and user signups after a flood of malware.