Hackers are once again targeting Python developers involved in the blockchain industry in an attempt to distribute malware and steal tokens.
A new report from cybersecurity researchers at Checkmarx outlines how they observed an account on PyPI uploading multiple packages within a very short timeframe.
This unnamed individual uploaded a handful of packages with similar names: “AtomicDecoderss”, “TrustDecoderss”, “WalletDecoderss”, and more. The packages are presented as tools for decoding and managing data from different cryptocurrency wallets. On the surface, they look like super useful tools, especially for people in need of crypto wallet recovery, or management.
Malicious intent
Depending on the name, the packages are designed for separate wallets: Atomic, Trust Wallet, MetaMask, Ronin, Exodus, TronLink, and others. The ones mentioned here are some of the most popular wallets out there, especially MetaMask and Atomic.
Their true purpose, however, is malicious – they work in the background to grab additional code from dependencies, which is built to steal cryptocurrency wallet data such as private keys and mnemonic phrases. This data is used to load a wallet into a new app, essentially allowing crooks to manage the money as they see fit.
The packages were also designed with plenty of obfuscation in mind, the researchers explained in the press release: “This strategic use of dependencies allowed the main packages to appear harmless while harboring malicious intent in their underlying components.”
Checkmarx doesn’t know how many people were affected by the attack, but urged everyone to stay vigilant, especially when grabbing content from major repositories who are often targeted.
PyPI is short for Python Package Index, and serves as a repository for Python software packages. It is a central hub where Python developers can upload, share, and install software libraries and tools, and widely considered as the most popular platform of its kind.