A new cybersecurity threat for Python developers has been reported, where malicious actors have published over 451 unique Python packages to the official Python Package Index (PyPI) repository. The aim is to infect developer systems with a clipboard-based crypto wallet replacement malware.

The malicious code replaces a cryptocurrency address in the clipboard with the attacker’s address by creating a Chromium web browser extension and dropping a malicious JavaScript file onto the system.

obfuscated-js.png

Targeted web browsers include Google Chrome, Microsoft Edge, Brave and Opera. The latest set of Python packages shows a similar mode of operation to the previous one, with a change in the obfuscation technique used to hide the JavaScript code.

The ultimate goal of these attacks is to hijack cryptocurrency transactions and divert them to wallets controlled by the attackers.

The current (and expanding) list of packages in this ongoing campaign are as follows:

  • baeutifulsoup4

  • beautifulsup4

  • cloorama

  • cryptograpyh

  • crpytography

  • djangoo

  • hello-world-exampl

  • hello-world-example

  • ipyhton

  • mail-validator

  • mariabd

  • mysql-connector-pyhton

  • notebok

  • pillwo

  • pyautogiu

  • pygaem

  • pytorhc

  • python-dateuti

  • python-flask

  • python3-flask

  • pyyalm

  • rqeuests

  • slenium

  • sqlachemy

  • sqlalcemy

  • tkniter

  • urlllib

The report, from cybersecurity firm Phylum, highlights the growing threat that developers face from supply chain attacks, with adversaries using methods such as typosquatting to trick users into downloading fraudulent packages.