Researchers from Checkmarx have uncovered a sophisticated campaign in which attackers built credibility within the Python Package Index (PyPI) community to release crypto-draining, data-stealing malware.
Starting a little over a month ago, the attackers uploaded several non-malicious Python packages, such as ‘spl-types,’ to establish credibility and evade detection for a future attack, via the StackExchange Q&A website.
A little over a week later, the attackers released malicious versions of the packages embedding obfuscated malware within the ‘init.py’ file.
PyPI social hacking?
By first gaining the trust of the community, the hackers were able to deploy automatically executed malware to compromise unsuspecting victims’ systems, exfiltrating data and draining cryptocurrency wallets.
The attackers posted seemingly helpful answers on popular StackExchange threads, directing users to their malicious package by abusing the trust typical of these platforms.
A backdoor component provided the attackers with persistent remote access, which enabled long-term exploitation and greater crypto wallet drains. The attack primarily targeted those involved with Raydium and Solana cryptocurrencies.
Besides draining wallets, the malware also harvested sensitive data like browser history, saved passwords, cookies, and credit card information. It also targeted messaging apps like Telegram and Signal to capture screenshots and search for files with specific keywords relating to cryptocurrency and sensitive data.
Given the socially manipulative element of the attack, the researchers reaffirm the importance of verifying the authenticity of software packages and maintaining vigilance against potentially harmful forum content.
Moreover, basic cybersecurity measures, like not downloading unknown content, protecting online accounts with strong passwords and two-factor authentication, and keeping software updated, are vital steps in combating the spread of malware.