Threat trackers have discovered a set of seven kits in the Python Kit Index (PyPI) repository designed to steal BIP39 mnemonic phrases used to recover cryptocurrency wallet private keys.
ReversingLabs codenamed this software supply chain attack campaign BIPClip. These packages were downloaded a total of 7,451 times before being removed from PyPI. The list of software packages is as follows –
BIPClip is targeted at developers working on projects related to generating and securing cryptocurrency wallets, and is said to have been active since at least December 4, 2022, when hashdecrypt was first published to the registry.
“This is just the latest software supply chain activity targeting crypto assets,” security researcher Karlo Zanki said in a report shared with The Hacker News. “This confirms that cryptocurrencies remain a supply chain threat. One of the actors’ most popular targets.”
In a sign that the threat actors behind this campaign are careful to avoid detection, one of the packages in question, mnemonic_to_address, does not have any malicious functionality, except that bip39-mnemonic-decrypt is listed as a dependency, which contains the malicious component.
“Even if they do choose to look at the package’s dependencies, the names of imported modules and called functions are carefully chosen to mimic legitimate functions and not raise suspicion, since implementations of the BIP39 standard include many cryptographic operations,” Zanki explained. road.
For its part, the package is designed to steal mnemonic phrases and leak the information onto attacker-controlled servers.
Two other packages discovered by ReversingLabs – public-address-generator and erc20-scanner – operate in a similar manner, with the former acting as a decoy to transmit a mnemonic phrase to the same command and control (C2) server.
Hashdecrypts, on the other hand, functions slightly differently as it does not work in pairs and contains almost the same code internally to obtain the data.
According to the software supply chain security company, the software package contains a reference to a GitHub configuration file called “HashSnake,” which contains a repository called hCrypto that is advertised as using the hashdecrypts package to extract from crypto wallets. Mnemonic phrase method.
Close inspection of the repository commit history shows that this activity has been going on for over a year, as one of the Python scripts previously imported the hashdecrypt (without the “s”) package instead of hashdecrypts before March 1, 2024. The date of upload to PyPI is the same.
It’s worth pointing out that the threat actors behind the HashSnake account also have a presence on Telegram and YouTube advertising their software. This included the release of a video on September 7, 2022, demonstrating an encrypted log inspection tool called xMultiChecker 2.0.
“The contents of each discovered package were carefully curated to make it appear less suspicious,” Zankey said.
“They were focused on compromising crypto wallets and stealing the cryptocurrency contained within them. The lack of a broader agenda and ambition makes this campaign unlikely to compromise security and monitoring tools deployed within compromised organizations.”
These findings once again highlight the security threats lurking in open source software package repositories, which are exacerbated by the fact that legitimate services such as GitHub are used as conduits to distribute malware.
Additionally, abandoned projects are becoming an attractive vector for threat actors to seize control of developer accounts and release Trojanized versions, paving the way for large-scale supply chain attacks.
Checkmarx noted last month: “Abandoned digital assets are not relics of the past; they are ticking time bombs that are increasingly exploited by attackers, turning them into Trojan horses in the open source ecosystem.”
“The MavenGate and CocoaPods case studies highlight how abandoned domains and subdomains can be hijacked to mislead users and spread malicious intent.”
