Hackers hijack Python packages once again to spread dangerous malware

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

Hackers are once again targeting Python developers involved in the blockchain industry in an attempt to distribute malware and steal tokens.

A new report from cybersecurity researchers at Checkmarx outlines how they observed an account on PyPI uploading multiple packages within a very short timeframe.

This unnamed individual uploaded a handful of packages with similar names: “AtomicDecoderss”, “TrustDecoderss”, “WalletDecoderss”, and more. The packages are presented as tools for decoding and managing data from different cryptocurrency wallets. On the surface, they look like super useful tools, especially for people in need of crypto wallet recovery, or management.

Malicious intent

Depending on the name, the packages are designed for separate wallets: Atomic, Trust Wallet, MetaMask, Ronin, Exodus, TronLink, and others. The ones mentioned here are some of the most popular wallets out there, especially MetaMask and Atomic.

Their true purpose, however, is malicious - they work in the background to grab additional code from dependencies, which is built to steal cryptocurrency wallet data such as private keys and mnemonic phrases. This data is used to load a wallet into a new app, essentially allowing crooks to manage the money as they see fit.

The packages were also designed with plenty of obfuscation in mind, the researchers explained in the press release: “This strategic use of dependencies allowed the main packages to appear harmless while harboring malicious intent in their underlying components.”

Checkmarx doesn’t know how many people were affected by the attack, but urged everyone to stay vigilant, especially when grabbing content from major repositories who are often targeted.

PyPI is short for Python Package Index, and serves as a repository for Python software packages. It is a central hub where Python developers can upload, share, and install software libraries and tools, and widely considered as the most popular platform of its kind.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS