A recent malware campaign that leveraged PyPI to steal people’s cryptocurrency is not only still active, but has significantly expanded in the last three months.
According to a new report from cybersecurity researchers Phylum, the threat actors would create malicious Python packages and upload them to PyPI, the programming language’s largest code repository.
Developers (opens in new tab) would then download these packages to speed up the development process, effectively compromising themselves and everyone who uses their products.
PyPl typosquatting
The threat actors would engage in typosquatting – a technique where the malicious package has a name almost identical to a legitimate package, with the difference being in just one letter or symbol. That way, the developers that mistype the name as they look for specific packages could end up unknowingly infecting their products. Furthermore, should they search for packages and come up with multiple ones with similar names, they might not have the time or the patience to analyze them thoroughly.
When this campaign was first spotted in 2022, the researchers found exactly 27 packages – but this number has now swollen to 451. The threat actors would impersonate some of the more popular packages, each of which would have between 13 and 38 typosquatted versions.
Those that download the malicious package could end up having their cryptocurrency stolen. The malware would install an add-on to some of the most popular browsers (Chrome, Edge, Brave, Opera), which would monitor the clipboard for cryptocurrency addresses. If it spots one, it would replace it with another address that’s hardcoded to the add-on during pasting.
The idea is that people don’t memorize crypto wallets, but rather copy/paste them when sending funds. Wallet addresses are a long string of random characters, making it virtually impossible to remember one. It also means that when copying and pasting one, the address can be swapped out relatively easily, without the victim noticing anything (unless they inspect both addresses to make sure they’re identical, which is a recommended best practice).
Users that are not careful can easily end up losing all of their cryptos in a transaction that cannot be reversed (unless it was sent out to a third party such as an exchange, which is highly unlikely).
Via: BleepingComputer (opens in new tab)
