Carding tool abusing WooCommerce API downloaded 34K times on PyPI

"This entire workflow—from harvesting product IDs and checkout tokens, to sending stolen card data to a malicious third party, and simulating a full checkout flow—is highly targeted and methodical," says Socket. A newly discovered malicious PyPi package named 'disgrasya' that abuses legitimate WooCommerce stores for validating stolen credit cards has been downloaded over 34,000 times from the open-source package platform. The script specifically targeted WooCommerce stores using the CyberSource payment gateway to validate cards, which is a key step for carding actors who need to evaluate thousands of stolen cards from dark web dumps and leaked databases to determine their value and potential exploitation. Still, Socket says there are methods to mitigate the problem, like blocking very low-value orders under $5, which are typically used in carding attacks, monitoring for multiple small orders that have unusually high failure rates, or high checkout volumes linked to a single IP address or region. Socket notes that the malicious functionality on the package was introduced in version 7.36.9, likely an attempt to evade detection by security checks that might be stricter for initial submissions compared to subsequent updates. Next, it navigates to the site's checkout page from where it steals the CSRF token and a capture context, which is a code snippet CyberSource users to process card data securely. The malicious package contains a Python script that visits legitimate WooCommerce sites, collects product IDs, and then adds items to the cart by invoking the store's backend. In the next step, instead of sending the stolen card directly to the payment gateway, it sends it to a server controlled by the attacker (railgunmisaka.com), which pretends to be CyberSource and gives back a fake token for the card. "A utility for checking credit cards through multiple gateways using multi-threading and proxies," read the disgrasya package description. Socket also suggests adding CAPTCHA steps on the checkout flow that may interrupt the operation of carding scripts, as well as applying rate limiting on checkout and payment endpoints. Socket says these two are normally hidden on the page and expire quickly, but the script grabs them instantly while populating the checkout form with made-up customer info. Although the package has been removed from PyPI, its high download counts show the sheer volume of abuse for these types of malicious operations. Socket comments that this end-to-end checkout emulation process is particularly hard for fraud detection systems to detect on the targeted websites. "Unlike typical supply chain attacks that rely on deception or typosquatting, disgrasya made no attempt to appear legitimate," explains a report by Socket researchers. Using a tool like this, the threat actors are able to perform the validation of a large volume of stolen credit cards in an automated manner.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 06 Apr 2025 15:00:13 +0000


Cyber News related to Carding tool abusing WooCommerce API downloaded 34K times on PyPI

Carding tool abusing WooCommerce API downloaded 34K times on PyPI - "This entire workflow—from harvesting product IDs and checkout tokens, to sending stolen card data to a malicious third party, and simulating a full checkout flow—is highly targeted and methodical," says Socket. A newly discovered ...
1 month ago Bleepingcomputer.com
Is Your Online Store Hacked in a Carding Attack? - Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using carding attacks as we gear up for the holiday season shopping. Online companies selling products or services are struggling with the growing ...
1 year ago Cybersecuritynews.com
Defining Good: A Strategic Approach to API Risk Reduction - A good API security strategy starts with a well thought out API security posture governance program that spans from design to deployment. That standard, if communicated and enforced effectively, will not only positively affect how a developer designs ...
1 year ago Securityboulevard.com
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 23, 2024 to September 29, 2024) - Software Name Software Slug 012 Ps Multi Languages 012-ps-multi-languages ABC APP CREATOR abcapp-creator Absolute Reviews absolute-reviews Accordion accordions Ads by WPQuads – Adsense Ads, Banner Ads, Popup Ads quick-adsense-reloaded Advanced File ...
7 months ago Wordfence.com Slug
116 Malicious PyPI Packages Downloaded Over 10,000 Times - A cluster of malicious Python projects has been identified in PyPI, the official Python PyPI package repository, which targets both Windows and Linux systems and often deploys a custom backdoor. In certain instances, the ultimate payload consists of ...
1 year ago Cybersecuritynews.com
Salt Security Delivers API Posture Governance Engine - PRESS RELEASE. PALO ALTO, Calif., Jan. 17, 2024 /PRNewswire/ - Salt Security, the leading API security company, today announced multiple advancements in discovery, posture management and AI-based threat protection to the industry leading Salt ...
1 year ago Darkreading.com
Imperva Named an Overall Leader in the KuppingerCole Leadership Compass: API Security and Management Report - We're thrilled to share that Imperva has achieved the prestigious status of Overall Leader in the KuppingerCole Leadership Compass: API Security and Management report. A notable achievement is being recognized as one of the few non-gateway-first ...
1 year ago Imperva.com
That time I broke into an API and became a billionaire - This included an internal API with a dependency on a third-party banking API. We'll get to the banking API later in this story. That's all thanks to developers embracing agile development, microservices, and API gateway redirection that exposed ...
1 year ago Securityboulevard.com
Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning - Our structured query language (SQL) injection detection model detected triggers containing unusual patterns that did not correlate to any known open-source or commercial automated vulnerability scanning tool. We have tested all malicious payloads ...
8 months ago Unit42.paloaltonetworks.com
Unified API Protection - A massive segment of organizations' digital footprint today is built around internal and external APIs. As more IT leaders realize and acknowledge the size of APIs' influence, it's become clear that new methods are needed to secure those APIs. While ...
2 years ago Cequence.ai
What do CISOs need to know about API security in 2024? - According to Postman's 2023 State of the API Report, roughly 66% of participants indicated that their APIs contribute to generating revenue. A recent ESG survey on API security showed that 92% of organisations using APIs have experienced a breach in ...
1 year ago Cybersecurity-insiders.com
Malicious PyPI Package With Fully Automated Carding Script Attacking E-commerce Websites - This package, whose name translates to “disaster” in Filipino slang, enables attackers to test stolen credit card information against real e-commerce payment systems with minimal technical expertise required. The malicious code executes a ...
1 month ago Cybersecuritynews.com
15 PostgreSQL Monitoring Tools - 2025 - What is Good?What Could Be Better?Monitoring application performance, user experience, and errors.Some users find the pricing high, especially for larger environments.Continuous server, database, and infrastructure monitoring.The extensive feature ...
1 month ago Cybersecuritynews.com
Cybercriminals pose as "helpful" Stack Overflow users to push malware - Cybercriminals are abusing Stack Overflow in an interesting approach to spreading malware-answering users' questions by promoting a malicious PyPi package that installs Windows information-stealing malware. Sonatype researcher Ax Sharma discovered ...
1 year ago Bleepingcomputer.com
10 Best Ransomware File Decryptor Tools in 2025 - Kaspersky Rakhni Decryptor contains different decryption tools based on various versions of Rakhni ransomware and helps you decrypt encrypted files on your system. PyLocky Ransomware Decryption Tool is a free and open source developed and released by ...
1 month ago Cybersecuritynews.com
DPython's Poisoned Package: Another 'Blank Grabber' Malware in PyPI - Python Package Index is a platform that offers an extensive range of packages to simplify and enhance the development process. Malicious actors regularly upload phishing packages in the platform's repository aimed at delivering malware to steal the ...
1 year ago Imperva.com
API Security: The Big Picture - Given this, it is no surprise that API security is a top priority for many security teams in the coming year. Here are 10 strategic things to look for in an API security offering. Multiple Environment Capability API security isn't very helpful if it ...
1 year ago Darkreading.com
3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
2 years ago Securityaffairs.com
CVE-2024-23633 - Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Prior to version 1.10.1, this feature could had been abused to ...
1 year ago
API Gateways and API Protection: What’s the Difference? - Security Boulevard - At the security level, API security tools and gateways provide different controls to protect APIs from various threats. API protection – or API security – refers to a comprehensive set of security capabilities designed to protect APIs from a wide ...
8 months ago Securityboulevard.com
WinRAR 7.10 boosts Windows privacy by stripping MoTW data - This allows the Mark-of-the-Web security feature to continue to work with extracted files, but the alternate data stream can no longer be used to learn where the file was downloaded. Modern file archives will propagate the MoTW found in archives to ...
3 months ago Bleepingcomputer.com
Top 30 Best Penetration Testing Tools - 2025 - The tool supports various protocols and offers advanced filtering and analysis capabilities, making it ideal for diagnosing network issues, investigating security incidents, and understanding complex network interactions during penetration testing. ...
2 months ago Cybersecuritynews.com
CVE-2021-4337 - Sixteen XforWooCommerce Add-On Plugins for WordPress are vulnerable to authorization bypass due to a missing capability check on the wp_ajax_svx_ajax_factory function in various versions listed below. This makes it possible for authenticated ...
1 year ago
The Limitations of Google Play Integrity API - This overview outlines the history and use of Google Play Integrity API and highlights some limitations. We also compare and contrast Google Play Integrity API with the comprehensive mobile security offered by Approov. Google provides app attestation ...
1 year ago Securityboulevard.com
API Security in 2024: Navigating New Threats and Trends - As we step into 2024, the landscape of API security is at a critical juncture. The previous year witnessed a significant escalation in API-related breaches, impacting diverse organizations and bringing to light the critical vulnerabilities in API ...
1 year ago Cybersecurity-insiders.com