A new wave of malicious packages has been uncovered in the Python Package Index (PyPI) repository, posing as cryptocurrency wallet recovery and management tools, but instead, stealing sensitive user data and facilitating the theft of digital assets.
Checkmarx researcher Yehuda Gelb revealed that the attack specifically targeted users of popular crypto wallets such as Atomic, Trust Wallet, Metamask, Ronin, TronLink, and Exodus. The fake packages, which appeared to offer utilities for retrieving mnemonic phrases and decrypting wallet data, were designed to attract cryptocurrency users seeking recovery or management solutions.
In reality, these malicious packages were used to steal private keys, mnemonic phrases, and other sensitive wallet information, including transaction histories and balances. The compromised packages, which garnered hundreds of downloads before removal, included:
- atomicdecoderss (366 downloads)
- trondecoderss (240 downloads)
- phantomdecoderss (449 downloads)
- trustdecoderss (466 downloads)
- exodusdecoderss (422 downloads)
- walletdecoderss (232 downloads)
- ccl-localstoragerss (335 downloads)
- exodushcates (415 downloads)
- cipherbcryptors (450 downloads)
- ccl_leveldbases (407 downloads)
The threat actors strategically named these packages to appeal to developers in the cryptocurrency space and added installation instructions, usage examples, and even “best practices” to enhance their credibility.
To further deceive users, the attacker fabricated download statistics, making the packages appear popular and trustworthy. Malicious functionality was embedded in the packages but only triggered when certain functions were executed, making it harder to detect. Collected data was then exfiltrated to a remote server using a technique known as “dead drop resolver,” which allowed the attacker to update server information without pushing new package updates.
This attack, which exploited trust in open-source communities, is part of a broader trend of targeting the cryptocurrency sector, where threat actors continuously find new ways to siphon funds from unsuspecting users.