Watch out — these malicious PyPl packages could drain your wallet, and they've already been downloaded thousands of times
Researchers discover seven crypto-draining packages
Be careful when downloading Python packages from PyPI - researchers have found some are malicious and looking to steal your cryptocurrency haul.
Cybersecurity researchers from ReversingLabs recently discovered seven such packages, whose goal is to steal BIP39 mnemonic phrases from its victims.
A cryptocurrency wallet is secured in two ways: with a password, and with a mnemonic phrase (a set of either 12 or 24 seemingly random words). When a user sets up a wallet, they generate a mnemonic phrase and a password. A password is used to log into the wallet, while the mnemonic phrase is used to restore the wallet, in case it needed to be installed on a different device or hardware wallet.
BIPClip has been in operation for over a year
By stealing the phrases, hackers would be able to load other people’s wallets onto their own devices, essentially getting unrestricted access to the funds.
Cumulatively, the packages were downloaded almost 7,500 times, before the researchers notified PyPI and the malware was removed. These are their names, so make sure you haven’t downloaded them:
jsBIP39-decrypt (126 downloads)
bip39-mnemonic-decrypt (689 downloads)
mnemonic_to_address (771 downloads)
erc20-scanner (343 downloads)
public-address-generator (1,005 downloads)
hashdecrypt (4,292 downloads)
hashdecrypts (225 downloads)
ReversingLabs dubbed the campaign BIPClip, and claim it kicked off in early December 2022.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
"This is just the latest software supply chain campaign to target crypto assets," security researcher Karlo Zanki said in a report shared with TheHackerNews. "It confirms that cryptocurrency continues to be one of the most popular targets for supply chain threat actors."
PyPI, being one of the largest and most popular Python package repositories on the internet, is often the target of supply chain attacks. Hackers frequently impersonate legitimate packages, trying to trick developers into downloading malicious versions which exfiltrate their sensitive data and deploy malware and ransomware. At one point last year, PyPl was forced to suspend new projects and user sign-ups following a flood of malware.
More from TechRadar Pro
- PyPl suspends new projects and user sign-ups following flood of malware
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.