API security, Endpoint/Device Security

Malicious PyPI packages set sights on crypto wallet recovery passwords

Share

Seven malicious Python Package Index packages, which amassed nearly 7,500 downloads prior to their removal, have been leveraged by threat actors to facilitate the exfiltration of cryptocurrency wallet recovery passwords known as BIP39 mnemonic phrases as part of the BIPClip software supply chain attack campaign that commenced in December 2022, The Hacker News reports.

Threat actors behind the campaign sought to conceal malicious activity, with one of the packages dubbed "mnemonic_to_address" found to only contain "bip39_mnemonic_decrypt" as a dependency, according to a ReversingLabs report. On the other hand, the "public-address-generator" package was noted to have been used alongside the "erc20-scanner" package in enabling the theft of mnemonic phrases. Attackers "were laser focused on compromising crypto wallets and stealing the crypto currencies they contained. That absence of a broader agenda and ambitions made it less likely this campaign would trip up security and monitoring tools deployed within compromised organizations," said researcher Karlo Zanki.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.