Scammers to Exploit Crypt Weaknesses for Rejuvenation

Seven packages were recently discovered in the Python Package Index (PYPI) repository for theft of BIP39 mnemonic phrases used to restore private keys of cryptocurrency wallets. The operation, known as bipclip, was identified by specialists from Reversinglabs who are focused on creating and protecting cryptocurrency wallets.

These packages, which were downloaded a total of 7,451 times before being removed from PYPI, include:

  • JSBIP39-DECRYPT (126 downloads)
  • BIP39-MNEMONIC-DECRYPT (689 downloads)
  • mnemonic_to_address (771 downloads)
  • erc20-scanner (343 downloads)
  • public-address-generator (1,005 downloads)
  • HashDecrypt (4,292 downloads)
  • HashDecrypts (225 downloads)

The malicious Bipclip campaign started on December 4, 2022, with the publishing of the penultimate package from the list above, HashDecrypt. One of the packages, “mnemonic_to_address,” contained no malicious code except for an indication of a hidden dependency, while two other packages sent mnemonic phrases to control servers, allowing attackers to extract data.

References to the GitHub profile “Hashsnake” were found in these packages, advertising the HCRYPTO repository for extracting mnemonic phrases from cryptocurrency wallets using the HashDecrypts package. The campaign has been ongoing for over a year, as indicated by the history of repository commits.

Hashsnake’s account is also present on Telegram and YouTube, where they promote software products such as XMultichecker 2.0, a tool for checking cryptocurrency wallets. The detection of these packages underscores the security threats associated with open-source repositories like GitHub, which can be used to distribute malicious software.

Outdated projects are attractive targets for attackers, who may take control of developers’ accounts to publish trojanized versions of products, posing significant risks to the software supply chain. Hackers can manipulate the supply chain and go undetected for extended periods, increasing the risks for developers and users alike.

/Reports, release notes, official announcements.