FlagThis

Cybersecurity researchers have recently identified several malicious Python packages on the Python Package Index (PyPI) repository that were designed to steal sensitive information, particularly credit card details and cryptocurrency-related data. These packages, downloaded over 39,000 times before their removal, demonstrate an increasing threat to software supply chains and the vulnerability of developers relying on open-source repositories. The malicious packages targeted both e-commerce platforms and cryptocurrency users, employing various techniques to evade detection and compromise sensitive data.

The most prevalent of these packages, "disgrasya," which translates to 'accident' or 'disaster' in Filipino, was downloaded over 34,000 times and functioned as a fully automated carding toolkit. This package specifically targeted WooCommerce stores integrated with CyberSource payment gateways, automating the process of validating stolen credit card information. It emulated legitimate shopping activity, programmatically adding items to a cart, navigating to the checkout page, and filling out the payment form, effectively bypassing fraud detection systems. Stolen card data, including numbers, expiration dates, and CVVs, was then exfiltrated to an external server controlled by the attacker.

Two other packages, "bitcoinlibdbfix" and "bitcoinlib-dev," masqueraded as fixes for issues in the legitimate "bitcoinlib" Python module. These packages attempted to overwrite the 'clw cli' command with malicious code designed to steal sensitive database files, potentially compromising cryptocurrency wallets and transactions. Researchers noted that the authors of these counterfeit libraries even engaged in GitHub issue discussions, attempting to trick users into downloading and running the malicious code. The discovery of these packages highlights the ongoing need for robust security measures and vigilance within the open-source software ecosystem.

ImgSrc: blogger.googleu

References :

• The Hacker News: Cybersecurity researchers have uncovered malicious libraries in the Python Package Index (PyPI) repository that are designed to steal sensitive information.
• www.bleepingcomputer.com: A newly discovered malicious PyPi package named 'disgrasya' that abuses legitimate WooCommerce stores for validating stolen credit cards has been downloaded over 34,000 times from the open-source package platform.
• gbhackers.com: In a recent development, the ReversingLabs research team has uncovered a sophisticated software supply chain attack targeting developers of cryptocurrency applications.
• www.scworld.com: Threat actors have sought to compromise credit card information and other sensitive data through three malicious Python Package Index packages, which have been downloaded almost 40,000 times before being removed from the PyPI repository, reports The Hacker News.
• Cyber Security News: Malicious Python Packages Exploit Popular Cryptocurrency Library to Steal Sensitive Data
• www.bleepingcomputer.com: A newly discovered malicious PyPi package named 'disgrasya' that abuses legitimate WooCommerce stores for validating stolen credit cards has been downloaded over 34,000 times from the open-source package platform.
• cyberpress.org: Malicious Python Packages Exploit Popular Cryptocurrency Library to Steal Sensitive Data
• www.techradar.com: Malicious Python packages are stealing vital data, and have been downloaded thousands of times already

Classification:

• HashTags: #PyPI #Malware #SupplyChain
• Company: PyPI
• Target: Python developers, e-commerce platforms
• Product: PyPI
• Feature: fully automated carding toolki
• Malware: bitcoinlibdbfix, bitcoinlib-dev, disgrasya
• Type: Malware
• Severity: High