Be careful when downloading Python packages from PyPI – researchers have discovered that some are malicious and looking to steal your cryptocurrency loot.
Cybersecurity researchers at ReversingLabs recently discovered seven such packages, which aim to steal BIP39 mnemonic phrases from their victims.
A cryptocurrency wallet is protected in two ways: with a password and with a mnemonic phrase (a set of 12 or 24 seemingly random words). When a user sets up a wallet, he generates a mnemonic phrase and a password. A password is used to log into the wallet, while the mnemonic phrase is used to restore the wallet, in case it needs to be installed on a different hardware device or wallet.
BIPClip has been in operation for more than a year
By stealing the phrases, hackers could upload other people's wallets to their own devices, essentially gaining unlimited access to the funds.
In total, the packages were downloaded almost 7,500 times, before researchers notified PyPI and the malware was removed. These are their names, so make sure you haven't downloaded them:
jsBIP39-decrypt (126 downloads)
bip39-mnemonic-decrypt (689 downloads)
mnemonic_to_address (771 downloads)
ERC20 scanner (343 downloads)
public address generator (1,005 downloads)
hashdecrypt (4,292 downloads)
hashdecrypts (225 downloads)
ReversingLabs named the campaign BIPClip and claims it began in early December 2022.
“This is just the latest software supply chain campaign targeting crypto assets,” said security researcher Karlo Zanki in a report shared with TheHackerNews. “It confirms that cryptocurrencies remain one of the most popular targets for supply chain threat actors.”
PyPI, being one of the largest and most popular Python package repositories on the Internet, is often the target of supply chain attacks. Hackers frequently pose as legitimate packages, trying to trick developers into downloading malicious versions that leak your sensitive data and deploy malware and ransomware. At one point last year, PyPl was forced to suspend new projects and user registrations following an avalanche of malware.