Researchers from the cybersecurity brand Checkmarx have discovered malware on PyPI disguised as cryptocurrency wallet tools. These malicious packages have stolen keys and recovery phrases, targeting crypto wallets such as Metamask, Trust Wallet, and Exodus.

 

The attack occurred when a new user on the platform uploaded several malicious packages designed to steal sensitive wallet data, including private keys and recovery phrases. These malicious packages, identified as “AtomicDecoderss,” “TrustDecoderss,” “WalletDecoderss,” and “ExodusDecodes,” targeted cryptocurrency wallets like Atomic, Trust Wallet, Metamask, Ronin, TronLink, and Exodus.

 

“These malware packages advertise themselves as utilities that assist in extracting recovery phrases and decrypting wallet data, seemingly offering useful functions for cryptocurrency users when restoring or managing their wallets,” researcher Yehuda Gelb from Checkmarx explained in an analysis on Tuesday.

 

Decoding the Method

One of the primary tactics used by the attackers was to distribute the malicious functionality across multiple dependencies. Six malware packages used a component called “cipherbcryptors,” which contained the main malicious code. This tactic takes advantage of the trust organizations and businesses often place in third-party services without suspicion, providing an entry point for the malware to infiltrate systems.

 

Moreover, the attackers used fake download statistics to create the impression that these packages were popular and trustworthy, tricking users into installing them. This tactic exploited the trust within the open-source community.

 

Notably, unlike other malware, these packages did not immediately infect devices upon installation. They only activated when users accessed the advertised features, subsequently stealing crypto wallet data. This sophisticated method increased the malware’s stealth and made detection more difficult.

 

 

Effective Prevention Solutions

To prevent attacks that exploit security vulnerabilities from the development phase—where a single faulty line of code can become a hacker’s entry point—businesses need fast and effective security solutions. Checkmarx offers a Static Application Security Testing (SAST) solution that helps detect and fix potential vulnerabilities early in the coding process, ensuring comprehensive system protection from the start.

 

With the ability to automatically scan code and identify vulnerabilities such as SQL Injection and XSS, Checkmarx helps businesses ensure their applications are secure from the early development stages. This solution not only minimizes security risks but also optimizes the software development process efficiently.

 

VNCS is proud to be the official distributor of Checkmarx security solutions in the Vietnamese market. Contact us to learn more about these solutions and receive comprehensive and effective security consulting.

 

Source: The Hacker News

 

Read More

 

Introduction to Checkmarx

 

Checkmarx's Static Application Security Testing solution