According to the IT security researchers at Phylum, dozens of malicious Python packages target developers by replacing crypto addresses in developer clipboards.
Phylum researchers have identified dozens of typosquat packages, and a separate campaign is also identified in which several more packages are involved. This campaign is also targeting developers and their cryptocurrency.
What’s worse, researchers have found that these malicious packages are downloaded over 29 million times each day.
Modus Operandi
Once the package is installed, a malicious JavaScript file is launched in the background of an ongoing web browsing session. Therefore, when a developer in the clipboard copies a cryptocurrency address, it is replaced with the attacker’s address.
So far, these packages have been downloaded more than a hundred times. The payload for each malicious package is present in the setup.py. The attackers initiate the attack chain by obtaining a list of interesting paths. If the user has an administrator account, the attacker will add an additional path to the list.
Afterward, they will create an Extension director in case there isn’t one already. Lastly, the attacker will write an obfuscated JavaScript to the$APPDATA\\Extension folder and a manifest.json to the $APPDATA\\Extension folder to request for clipboardWrite and clipboardRead permissions.
Malicious Packages List
The list of packages is constantly expanding in this currently active campaign. In a blog post published November 7th, Phylum’s Co-founder and ex-NSA software developer Louis Lang shared the following list:
baeutifulsoup4 beautifulsup4 cloorama cryptograpyh crpytography djangoo ipyhton mail-validator mariabd notebok pillwo pyautogiu pygaem pytorhc python-dateuti python-flask python3-flask pyyalm rqeuests slenium sqlachemy sqlalcemy tkniter urlllib hello-world-exampl hello-world-example mysql-connector-pyhton
Associated Dangers
After successfully dropping the payload and gaining the required permissions, the attacker can create a textarea on the page and paste clipboard content or use regular expressions to look for common cryptocurrency address formats.
Moreover, they can replace identified addresses with attacker-controlled addresses in the already created textarea. When the compromised developer copies a wallet address, the malicious package replaces the address with an attacker-controlled address, inadvertently leading to transferring of funds to the attacker’s wallet.
However, as of now, funds haven’t been transferred to any of the attacker-controlled wallets, including the following:
- TRX TWStXoQpXzVL8mx1ejiVmkgeUVGjZz8LRx
- LTC LPDEYUCna9e5dYaDPYorJBXXgc43tvV9Rq
- BNB bnb1cm0pllx3c7e902mta8drjfyn0ypl7ar4ty29uv
- BTC bc1qqwkpp77ya9qavyh8sm8e4usad45fwlusg7vs5v
- ETH 0x18c36eBd7A5d9C3b88995D6872BCe11a080Bc4d9
Phylum assumes that although the malicious packages have been reported, their number of downloads and package count may keep increasing.
