A recent malware campaign using Python Package Index (PyPI) to steal peoples’ cryptocurrency is still active and has grown dramatically since 2022 end.
According to a recent analysis from cybersecurity specialist Phylum, the threat actors would generate malicious Python packages and upload them to PyPI, the most extensive code repository for the programming language.
Then, to hasten the development process, developers would download these packages, putting both themselves and their product users at risk.
As per ‘The Hacker News’, the initial vector entails using typosquatting to mimic popular packages such as beautifulsoup, bitcoinlib, cryptofeed, matplotlib, pandas, pytorch, scikit-learn, scrapy, selenium, solana, and tensorflow, among others.
Threat actors would use typosquatting, a tactic in which a malicious package has a name nearly identical to a valid box with only a single letter or symbol difference. This will end up in a situation where developers will accidentally infect their software when they search for specific packages and type the wrong name. Also, they might need more patience or time to thoroughly study the boxes if they search for them and find several with identical words, reports Techradar.
“After installation, a malicious JavaScript file is dropped to the system and executed in the background of any web browsing session. When a developer copies a cryptocurrency address, the address is replaced in the clipboard with the attacker’s address,” Phylum said in a 2022 report.
This is achieved by creating a Chromium web browser extension in the Windows AppData folder and writing to it the rogue Javascript and a manifest.json file that requests users’ permissions to access and modify the clipboard, as per Phylum.
Targeted web browsers include Google Chrome, Microsoft Edge, Brave, and Opera, with the malware modifying browser shortcuts to load the add-on automatically upon launch using the “–load-extension” command line switch.
The researchers discovered exactly 27 packages when this campaign was first identified in 2022, but this number has now risen to 451. Threat actors would pose as some of the most well-known packages, each of which would include anything between 13 and 38 versions with mistakes.
The cryptocurrencies of anyone who downloads the infected package can be taken. Some of the most popular browsers (Chrome, Edge, Brave, and Opera) would get an add-on installed by the malware that would keep an eye on the clipboard for bitcoin addresses. If it detects one, it will replace it while pasting it with a different URL that is hardcoded to the add-on.
The concept is that when sending money, people copy and paste their cryptocurrency wallets rather than memorise them. Being a large string of random characters, wallet addresses are nearly impossible to learn. The victim won’t notice anything unless they check both lessons to ensure they are similar, a recognised best practice. It also implies that the address may be changed relatively easily when copying and pasting one.
Those careless could quickly lose all of their cryptocurrency in a transaction that cannot be undone, unless it was sent out to a third party, such as an exchange, in the unlikeliest of scenarios.
“This attacker significantly increased their footprint in PyPI through automation. Flooding the ecosystem with packages like this will continue,” Phylum noted.
The findings coincide with a Sonatype report, which found 691 malicious packages in the npm registry and 49 malicious packages in PyPI during January 2023 alone.
The development once again illustrates the growing threat developers are facing from supply chain attacks.