Researchers from Checkmarx recently uncovered a campaign targeting cryptocurrency users involved with Raydium and Solana.
Description
Threat actors abused Stack Exchange to promote malicious Python packages like raydium and spl-types, which were downloaded over 2,000 times before being removed from PyPI [1] [2]. These rogue packages contained malware that stole sensitive data such as passwords, cookies [1] [2] [3], and cryptocurrency wallets [1] [2] [3], with a backdoor component for remote access to victims’ machines [1] [2]. The attackers also exfiltrated stolen data to Telegram bots. Another incident involved the distribution of the pytoileur package on Stack Overflow for cryptocurrency theft [1]. Fortinet FortiGuard Labs identified a malicious PyPI package called zlibxjson that targeted Discord tokens [1] [2] [3], browser cookies [1] [2], and passwords [1] [2]. Security researcher Jenna Wang emphasized the risks of supply chain attacks through community-driven platforms and the potential for unauthorized access to user accounts.
Conclusion
These incidents highlight the serious risks posed by supply chain attacks targeting cryptocurrency users. It is crucial for users to remain vigilant and ensure the integrity of the software they download. Security measures such as multi-factor authentication and regular software updates can help mitigate the risks of unauthorized access and data theft. Moving forward, it is important for both developers and users to prioritize security and implement best practices to protect against malicious actors.
References
[1] https://thehackernews.com/2024/08/hackers-distributing-malicious-python.html
[2] https://www.443news.com/2024/08/hackers-distributing-malicious-python-packages-via-popular-developer-qa-platform/
[3] https://pledgetimes.com/python-stack-exchange-used-to-distribute-fake-packages/