The cybersecurity researchers at Checkmarx uncovered a series of new supply chain attacks that exploited the Python Package Index (PyPI) in September 2024 using malicious packages to target cryptocurrency wallets. These packages identified as “AtomicDecoderss,” “TrustDecoderss,” “WalletDecoderss,” and “ExodusDecodes,” targeted cryptocurrency wallets including Atomic, Trust Wallet, Metamask, Ronin, TronLink, and Exodus. These malicious packages stole private keys and recovery phrases, targeting wallets like Metamask, Trust Wallet, and Exodus. The attack involved a new user on the platform who uploaded several malicious packages designed to steal sensitive wallet data, including private keys and mnemonic phrases. Therefore, software developers and unsuspecting users should be cautious of such attacks, especially when downloading packages from the PyPI platform, particularly those that offer cryptocurrency-related services and include access to wallets. It then stole important information, such as private keys and recovery phrases, which are needed to control and access cryptocurrency wallets. Further analysis revealed that threat actors heavily obfuscated the code within the “cipherbcryptors” package, making it difficult for automated security tools and cybersecurity researchers to identify its malicious intent. According to the Checkmarx report shared with Hackread.com ahead of publishing on Tuesday, each package came with a professionally written README file, complete with installation instructions, usage examples, and even “best practices” for virtual environments. Once the user began using one of the features advertised by the threat actors, the malware would activate and access the targeted user’s cryptocurrency wallet. With access to private keys and recovery phrases, attackers can quickly drain cryptocurrency wallets.
This Cyber News was published on hackread.com. Publication date: Tue, 01 Oct 2024 16:43:06 +0000