Threat hunters have discovered a set of seven packages on the Python Package Index (PyPI) repository that are designed to steal BIP39 mnemonic phrases used for recovering private keys of a cryptocurrency wallet.
The software supply chain attack campaign has been codenamed BIPClip by ReversingLabs. The packages were collectively downloaded 7,451 times prior to them being removed from PyPI. The list of packages is as follows -
- jsBIP39-decrypt (126 downloads)
- bip39-mnemonic-decrypt (689 downloads)
- mnemonic_to_address (771 downloads)
- erc20-scanner (343 downloads)
- public-address-generator (1,005 downloads)
- hashdecrypt (4,292 downloads)
- hashdecrypts (225 downloads)
BIPClip, which is aimed at developers working on projects related to generating and securing cryptocurrency wallets, is said to be active since at least December 4, 2022, when hashdecrypt was first published to the registry.
"This is just the latest software supply chain campaign to target crypto assets," security researcher Karlo Zanki said in a report shared with The Hacker News. "It confirms that cryptocurrency continues to be one of the most popular targets for supply chain threat actors."
In a sign that the threat actors behind the campaign were careful to avoid detection, one of the packages in question -- mnemonic_to_address -- was devoid of any malicious functionality, barring listing bip39-mnemonic-decrypt as its dependency, which contained the malicious component.
"Even if they did opt to look at the package's dependencies, the name of the imported module and invoked function are carefully chosen to mimic legitimate functions and not raise suspicion, since implementations of the BIP39 standard include many cryptographic operations," Zanki explained.
The package, for its part, is designed to steal mnemonic phrases and exfiltrate the information to an actor-controlled server.
Two other packages identified by ReversingLabs – public-address-generator and erc20-scanner – operate in an analogous fashion, with the former acting as a lure to transmit the mnemonic phrases to the same command-and-control (C2) server.
On the other hand, hashdecrypts functions a little differently in that it's not conceived to work as a pair and contains within itself near-identical code to harvest the data.
The package, per the software supply chain security firm, includes references to a GitHub profile named "HashSnake," which features a repository called hCrypto that's advertised as a way to extract mnemonic phrases from crypto wallets using the package hashdecrypts.
A closer examination of the repository's commit history reveals that the campaign has been underway for over a year based on the fact that one of the Python scripts previously imported the hashdecrypt (without the "s") package instead of hashdecrypts until March 1, 2024, the same date hashdecrypts was uploaded to PyPI.
It's worth pointing out that the threat actors behind the HashSnake account also have a presence on Telegram and YouTube to advertise their warez. This includes releasing a video on September 7, 2022, showcasing a crypto logs checker tool dubbed xMultiChecker 2.0.
"The content of each of the discovered packages was carefully crafted to make them look less suspicious," Zanki said.
"They were laser focused on compromising crypto wallets and stealing the crypto currencies they contained. That absence of a broader agenda and ambitions made it less likely this campaign would trip up security and monitoring tools deployed within compromised organizations."
The findings once again underscore the security threats that lurk within open-source package repositories, which is exacerbated by the fact that legitimate services like GitHub are used as a conduit to distribute malware.
Furthermore, abandoned projects are becoming an attractive vector for threat actors to seize control of the developer accounts and publish trojanized versions that could then pave the way for large-scale supply chain attacks.
"Abandoned digital assets are not relics of the past; they are ticking time bombs and attackers have been increasingly taking advantage of them, transforming them into trojan horses within the open-source ecosystems," Checkmarx noted last month.
"MavenGate and CocoaPods case studies highlight how abandoned domains and subdomains could be hijacked to mislead users and spread malicious intent."