[Warning]: Malicious PyPi package found, replacing crypto related addresses

[Dave1]

A new PyPi packages has been discovered by Phylum that targets crypto related wallet address thru typo-squatting. So the new attack includes the following packages:

And then once it is installed, it will quietly replace any crypto wallet address copied to the user’s clipboard with the attacker’s controlled wallet addresses.



https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-replacement-attack

As reported, this kind of attacks have been found in the wild since November, but the attack has been increasing.

So just be careful downloading any chrome extension that is related to crypto, check everything. Maybe A VM will do to at least minimized the risk. Do not be lazy in protecting our crypto assets.

Or maybe this could help: Finding malicious PyPI packages through static code analysis: Meet GuardDog

[1714875657]

1714875657

[1714875657]

1714875657

[1714875657]

1714875657

[mk4]

It boggles my mind how lazy people are to double-check wallet addresses. It literally takes like <5 seconds in exchange of you not losing your money from potential clipboard hijacks.

[noorman0]

I just found out about the term PyPi with a short google search. Sorry for my limited knowledge of the functionality of this software, wondering what is the degree of chance for an attacker to get at least one user mistake or omission so this attack works, while PyPi users (in my assumption) have an advanced level of technical knowledge compared to the average crypto user?

-snip-
So just be careful downloading any chrome extension that is related to crypto, check everything.

I think it's not even a browser extension, cmiiw.

[Maus0728]

@noorman0 @Dave1

The python packages that are listed are commonly used in the field of data science and machine learning if I remember it correctly from my previous years at the University. From what I understand, it is not about downloading "browser extension" but rather installing mistype packages thru the official repository for Python packages using the Python's package manager called pip

wondering what is the degree of chance for an attacker to get at least one user mistake or omission so this attack works

Many developers or data scientists use these packages, which could result in hundreds of thousands or millions of downloads per day. Knowing this, you can safely assume that some developers could install packages with typos, and some of these typosquatted packages can end up on the computer of data scientists who are also cryptocurrency users as well.

Take, for instance, the TensorFlow package, one of the popular machine learning packages in python. According to pypistats.org, as of February 2023^[1], TensorFlow has been downloaded more than 15,000,000 times in the last 30 days, translating to an average of approximately 600,000 downloads per day. That alone can give you an idea how susceptible developers are when it comes to downloading malicious python packages.

[1] https://pypistats.org/packages/tensorflow

[hugeblack]

Take, for instance, the TensorFlow package, one of the popular machine learning packages in python. According to pypistats.org, as of February 2023^[1], TensorFlow has been downloaded more than 15,000,000 times in the last 30 days, translating to an average of approximately 600,000 downloads per day. That alone can give you an idea how susceptible developers are when it comes to downloading malicious python packages.

[1] https://pypistats.org/packages/tensorflow

I have been using TensorFlow package for several months and it is installed on my device, but nothing happened? I did not read the details of what happened, but in general it is better to have a separate computer or phone that works as a hot wallet in addition to cold storage. Using the same computer is a waste of time.

If the information is correct, then there must be a third party, because most of these packages work offline.

[witcher_sense]

Many of these PyPi packages are very popular amongst cryptocurrency wallet developers, which may result in honest developers unintentionally building malicious cryptocurrency applications. Let me explain. Developing a new application usually implies the usage of third-party modules specifically designed to provide certain functionality. In short, you don't reinvent the wheel if it is already created by someone, you use it in "automobiles" you construct. The problem is that not all developers check the source code of the packages they include in their project; if a third-party application provides required API endpoints, you just connect to them and continue building your project. As a result, we can have numerous applications built on top of cryptocurrency stealers, and that may negatively affect the future of the cryptocurrency field. Of course, it concerns only small-scale projects the codebase of which is not being actively looked at by dozens of developers.

[Maus0728]

@hugeblack

From what I understand, its because you have installed the legitimate one and not those typosquatted TensorFlow packages that can be properly installed to your machine when any of the following has been entered on your terminal or anaconda notebook.

Code:

teensorflow
tennsorflow
tenorflow
tenosrflow
tensofrlow
tensoorflow
tensorfflow
tensorfllow
tensorflo
tensorfloow
tensorfloww
tensorflw
tensorflwo
tensorlfow
tensorlow
tensorrflow
tensroflow
tenssorflow
tesnorflow
tesorflow
tnesorflow
tnsorflow

- https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-replacement-attack

[dkbit98]

So just be careful downloading any chrome extension that is related to crypto, check everything. Maybe A VM will do to at least minimized the risk. Do not be lazy in protecting our crypto assets.

This malicious package is porbably affecting wind0ws OS, so best protection is to change operating system to open source Linux or closed source MacOS.
As for web browsers I would install only minimal amount of extensions, something like uBlock Origin is a good idea, but I wouldn't experiment with random add-ons.
I would also use separate computer device to use for bitcoin wallets, than you will be much more protected from most malware attacks.

[nc50lc]

A new PyPi packages has been discovered by Phylum that targets crypto related wallet address thru typo-squatting. So the new attack includes the following packages:

And then once it is installed, it will quietly replace any crypto wallet address copied to the user’s clipboard with the attacker’s controlled wallet addresses.

To be more precise: Those packages are the target of typo-squatting which mark them as the "attacked packages" and not included to the new attack.

It's a good thing that you've included a link to the article in OP because the ambiguity in the post may cause some misunderstanding (already did?).

[NotATether]

It looks like they have all been taken down, as I don't see any of them when searching for their names on PyPI.

I just found out about the term PyPi with a short google search. Sorry for my limited knowledge of the functionality of this software, wondering what is the degree of chance for an attacker to get at least one user mistake or omission so this attack works, while PyPi users (in my assumption) have an advanced level of technical knowledge compared to the average crypto user?

Actually it just works because a user types pip install <misspelled package> instead of pip install <correct package name.

-snip-
So just be careful downloading any chrome extension that is related to crypto, check everything.

I think it's not even a browser extension, cmiiw.

I'm curious to know how it even manages to get the browser extension running in the first place. It appears to only work on Chrome browsers and derivatives, and even then, Chrome will alert you when anybody has installed some unknown package, which you can then purge from your system.

[hugeblack]

From what I understand, its because you have installed the legitimate one and not those typosquatted TensorFlow packages that can be properly installed to your machine when any of the following has been entered on your terminal or anaconda notebook.

This makes sense now, generally I only use readonly wallet with my online device,  so the false sense of security is not good especially with these viruses that change the receiving address.
The person should be more careful and check the address carefully before sending.