Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Python Developers Beware: Malicious Packages are Swapping Out Your Crypto Addresses

According to the IT security researchers at Phylum, dozens of malicious Python packages target developers by replacing crypto addresses in developer clipboards.

Phylum researchers have identified dozens of typosquat packages, and a separate campaign is also identified in which several more packages are involved. This campaign is also targeting developers and their cryptocurrency.

What’s worse, researchers have found that these malicious packages are downloaded over 29 million times each day.

Modus Operandi

Once the package is installed, a malicious JavaScript file is launched in the background of an ongoing web browsing session. Therefore, when a developer in the clipboard copies a cryptocurrency address, it is replaced with the attacker’s address.

So far, these packages have been downloaded more than a hundred times. The payload for each malicious package is present in the The attackers initiate the attack chain by obtaining a list of interesting paths. If the user has an administrator account, the attacker will add an additional path to the list.

Afterward, they will create an Extension director in case there isn’t one already. Lastly, the attacker will write an obfuscated JavaScript to the$APPDATA\Extension folder and a manifest.json to the $APPDATA\Extension folder to request for clipboardWrite and clipboardRead permissions.

Malicious Packages List

The list of packages is constantly expanding in this currently active campaign. In a blog post published November 7th, Phylum’s Co-founder and ex-NSA software developer Louis Lang shared the following list:

baeutifulsoup4  beautifulsup4  cloorama  cryptograpyh  crpytography  djangoo  ipyhton  mail-validator  mariabd  notebok  pillwo  pyautogiu  pygaem           pytorhc  python-dateuti  python-flask  python3-flask  pyyalm  rqeuests  slenium  sqlachemy  sqlalcemy  tkniter  urlllib  hello-world-exampl  hello-world-example  mysql-connector-pyhton

Associated Dangers

After successfully dropping the payload and gaining the required permissions, the attacker can create a textarea on the page and paste clipboard content or use regular expressions to look for common cryptocurrency address formats.

Moreover, they can replace identified addresses with attacker-controlled addresses in the already created textarea. When the compromised developer copies a wallet address, the malicious package replaces the address with an attacker-controlled address, inadvertently leading to transferring of funds to the attacker’s wallet.

However, as of now, funds haven’t been transferred to any of the attacker-controlled wallets, including the following:

  • TRX TWStXoQpXzVL8mx1ejiVmkgeUVGjZz8LRx
  • LTC LPDEYUCna9e5dYaDPYorJBXXgc43tvV9Rq
  • BNB bnb1cm0pllx3c7e902mta8drjfyn0ypl7ar4ty29uv
  • BTC bc1qqwkpp77ya9qavyh8sm8e4usad45fwlusg7vs5v
  • ETH 0x18c36eBd7A5d9C3b88995D6872BCe11a080Bc4d9

Phylum assumes that although the malicious packages have been reported, their number of downloads and package count may keep increasing.

  1. Trojan Source attack lets hackers exploit source code
  2. 6 official Python repositories plagued with crypto malware
  3. Malicious npm Packages Used in Siphoning Off Discord Tokens
  4. Cryptojacking Campaign Kiss-a-dog Hits Docker and Kubernetes
  5. Cybercriminals hit malware authors with malicious NPM packages


I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related News

Schoolyard Bully Malware Stealing Facebook Credentials on Android

Schoolyard Bully Malware Stealing Facebook Credentials on Android

Mobile security company Zimperium’s zLabs has released a warning about a notorious Android trojan that has stolen around 300,000 credentials…
8 Reasons Why Enterprises Use Java

8 Reasons Why Enterprises Use Java

Java is one of the most well-known programming languages and software platforms that is used on countless devices such as…
360m Alleged WhatsApp Records Shared Freely on Telegram and Dark Web

360m Alleged WhatsApp Records Shared Freely on Telegram and Dark Web

Previously we covered the news of a database containing 487 million up-to-date WhatsApp user records from 84 countries being sold…