The PyPI platform has once again become a convenient channel for distributing malicious code.
In the Python Package Index (PyPI) repository, seven packages designed to steal BIP39 mnemonic phrases used to recover private keys of cryptocurrency wallets were recently discovered.
The operation, called BIPClip and identified by specialists from ReversingLabs, is aimed at developers working on projects to create and protect cryptocurrency wallets.
These packages, which were downloaded a total of 7451 times before they were removed from PyPI, are listed as follows:
It is noteworthy that the BIPClip malware campaign was launched quite a long time ago — on December 4, 2022. It was then that the penultimate package from the list above, "hashdecrypt", was first published.
One of the packages - "mnemonic_to_address" -did not contain malicious code, except for specifying "bip39-mnemonic-decrypt" as a dependency, where the malicious component was hidden. Two other packages-"public-address-generator" and "erc20 — scanner" - worked in a similar way, sending mnemonic phrases to the attackers management server. In turn, "hashdecrypts" contained almost identical code for data extraction.
In addition, these packages included links to a GitHub profile called "HashSnake", which advertises the hCrypto repository for extracting mnemonic phrases from cryptocurrency wallets using the "hashdecrypts" package. The repository's commit history shows that the campaign has been running for more than a year.
The HashSnake account is also present in Telegram and YouTube, where the corresponding software products are advertised. For example, on September 7, 2022, a video was published with the xMultiChecker 2.0 tool for checking cryptocurrency logs.
The discovery of these packages highlights the security risks associated with open source repositories, especially when legitimate services such as GitHub are used to distribute malware.
In addition, projects that are no longer updated become attractive targets for attackers who can take control of developer accounts and publish Trojan versions of products, opening the way for large-scale attacks on the supply chain.
Moreover, hackers can not only compromise the supply chain once, but also remain undetected for a long time, which further increases the risks for both developers and ordinary users.
In the Python Package Index (PyPI) repository, seven packages designed to steal BIP39 mnemonic phrases used to recover private keys of cryptocurrency wallets were recently discovered.
The operation, called BIPClip and identified by specialists from ReversingLabs, is aimed at developers working on projects to create and protect cryptocurrency wallets.
These packages, which were downloaded a total of 7451 times before they were removed from PyPI, are listed as follows:
- jsBIP39-decrypt (126 downloads);
- bip39-mnemonic-decrypt (689 downloads);
- mnemonic_to_address (771 downloads);
- erc20-scanner (343 downloads);
- public-address-generator (1005 downloads);
- hashdecrypt (4292 downloads);
- hashdecrypts (225 downloads).
It is noteworthy that the BIPClip malware campaign was launched quite a long time ago — on December 4, 2022. It was then that the penultimate package from the list above, "hashdecrypt", was first published.
One of the packages - "mnemonic_to_address" -did not contain malicious code, except for specifying "bip39-mnemonic-decrypt" as a dependency, where the malicious component was hidden. Two other packages-"public-address-generator" and "erc20 — scanner" - worked in a similar way, sending mnemonic phrases to the attackers management server. In turn, "hashdecrypts" contained almost identical code for data extraction.
In addition, these packages included links to a GitHub profile called "HashSnake", which advertises the hCrypto repository for extracting mnemonic phrases from cryptocurrency wallets using the "hashdecrypts" package. The repository's commit history shows that the campaign has been running for more than a year.
The HashSnake account is also present in Telegram and YouTube, where the corresponding software products are advertised. For example, on September 7, 2022, a video was published with the xMultiChecker 2.0 tool for checking cryptocurrency logs.
The discovery of these packages highlights the security risks associated with open source repositories, especially when legitimate services such as GitHub are used to distribute malware.
In addition, projects that are no longer updated become attractive targets for attackers who can take control of developer accounts and publish Trojan versions of products, opening the way for large-scale attacks on the supply chain.
Moreover, hackers can not only compromise the supply chain once, but also remain undetected for a long time, which further increases the risks for both developers and ordinary users.
