Hackers are once again targeting Python developers involved in the blockchain industry in an attempt to spread malware and steal tokens.
A new report from cybersecurity researchers at Checkmarx outlines how they observed an account on PyPI uploading multiple packages within a very short time frame.
This unnamed person has uploaded a handful of packages with similar names: “AtomicDecoderss”, “TrustDecoderss”, “WalletDecoderss” and more. The packages are presented as tools for decrypting and managing data from various cryptocurrency wallets. At first glance, they look like super useful tools, especially for people in need of crypto wallet recovery or management.
Malicious intent
Depending on the name, the packages are designed for separate wallets: Atomic, Trust Wallet, MetaMask, Ronin, Exodus, TronLink and others. The ones mentioned here are some of the most popular wallets out there, especially MetaMask and Atomic.
However, their true purpose is malicious: they work in the background to extract additional code from dependencies, built to steal cryptocurrency wallet data such as private keys and mnemonics. This data is used to load a wallet into a new app, allowing criminals to manage the funds as they see fit.
The packages were also designed with a lot of obfuscation in mind, the researchers explain in the press release: “This strategic use of dependencies made the main packages appear harmless, while harboring malicious intent in their underlying components.”
Checkmarx does not know how many people were affected by the attack, but urges everyone to remain vigilant, especially when retrieving content from large repositories that are often targeted.
PyPI is an abbreviation for Python Package Index and serves as a repository for Python software packages. It is a central hub where Python developers can upload, share, and install software libraries and tools, and is widely considered the most popular platform of its kind.