Security researchers have uncovered multiple malicious packages on the Python Package Index (PyPI) repository targeting cryptocurrency wallets and e-commerce platforms, potentially affecting thousands of users.
ReversingLabs identified two deceptive packages - "bitcoinlibdbfix" and "bitcoinlib-dev" - that masqueraded as fixes for the legitimate "bitcoinlib" cryptocurrency wallet management module. Together, these malicious packages accumulated approximately 2,000 downloads before being removed from PyPI.
The attackers attempted to exploit ongoing discussions about error message generation in the legitimate bitcoinlib package. They joined these conversations to distribute their malicious versions, though package contributors quickly detected and removed the suspicious comments.
Both malicious libraries employed similar attack methods, attempting to overwrite the legitimate 'clw cli' command with harmful code designed to steal sensitive database files.
In a separate discovery, researchers at Socket identified a third malicious package called "disgrasya" targeting WooCommerce stores. This package functioned as an automated carding script and amassed over 37,000 downloads. Unlike the crypto-targeting packages, disgrasya made no attempt to hide its malicious nature.
The carding functionality, introduced in version 7.36.9, allowed criminals to test stolen credit card information for validity or make unauthorized purchases. This capability potentially enabled substantial profits through the exploitation of compromised payment card data obtained from dark web markets.
All three malicious packages have since been removed from the PyPI repository. This incident highlights the ongoing security challenges within open-source software repositories and the need for vigilance when implementing third-party packages.