Python Developers Beware: Malicious Packages are Swapping Out Your Crypto Addresses

According to the IT security researchers at Phylum, dozens of malicious Python packages target developers by replacing crypto addresses in developer clipboards.

Phylum researchers have identified dozens of typosquat packages, and a separate campaign is also identified in which several more packages are involved. This campaign is also targeting developers and their cryptocurrency.

What’s worse, researchers have found that these malicious packages are downloaded over 29 million times each day.

Modus Operandi

Once the package is installed, a malicious JavaScript file is launched in the background of an ongoing web browsing session. Therefore, when a developer in the clipboard copies a cryptocurrency address, it is replaced with the attacker’s address.

So far, these packages have been downloaded more than a hundred times. The payload for each malicious package is present in the setup.py. The attackers initiate the attack chain by obtaining a list of interesting paths. If the user has an administrator account, the attacker will add an additional path to the list.

Afterward, they will create an Extension director in case there isn’t one already. Lastly, the attacker will write an obfuscated JavaScript to the$APPDATA\\Extension folder and a manifest.json to the $APPDATA\\Extension folder to request for clipboardWrite and clipboardRead permissions.

Malicious Packages List

The list of packages is constantly expanding in this currently active campaign. In a blog post published November 7th, Phylum’s Co-founder and ex-NSA software developer Louis Lang shared the following list:

baeutifulsoup4

beautifulsup4

cloorama

cryptograpyh

crpytography

djangoo

ipyhton

mail-validator

mariabd

notebok

pillwo

pyautogiu

pygaem

pytorhc

python-dateuti

python-flask

python3-flask

pyyalm

rqeuests

slenium

sqlachemy

sqlalcemy

tkniter

urlllib

hello-world-exampl

hello-world-example

mysql-connector-pyhton

Associated Dangers

After successfully dropping the payload and gaining the required permissions, the attacker can create a textarea on the page and paste clipboard content or use regular expressions to look for common cryptocurrency address formats.

Moreover, they can replace identified addresses with attacker-controlled addresses in the already created textarea. When the compromised developer copies a wallet address, the malicious package replaces the address with an attacker-controlled address, inadvertently leading to transferring of funds to the attacker’s wallet.

However, as of now, funds haven’t been transferred to any of the attacker-controlled wallets, including the following:

• TRX TWStXoQpXzVL8mx1ejiVmkgeUVGjZz8LRx
• LTC LPDEYUCna9e5dYaDPYorJBXXgc43tvV9Rq
• BNB bnb1cm0pllx3c7e902mta8drjfyn0ypl7ar4ty29uv
• BTC bc1qqwkpp77ya9qavyh8sm8e4usad45fwlusg7vs5v
• ETH 0x18c36eBd7A5d9C3b88995D6872BCe11a080Bc4d9

Phylum assumes that although the malicious packages have been reported, their number of downloads and package count may keep increasing.

1. Trojan Source attack lets hackers exploit source code
2. 6 official Python repositories plagued with crypto malware
3. Malicious npm Packages Used in Siphoning Off Discord Tokens
4. Cryptojacking Campaign Kiss-a-dog Hits Docker and Kubernetes
5. Cybercriminals hit malware authors with malicious NPM packages

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism