Seven malicious Python Package Index packages, which amassed nearly 7,500 downloads prior to their removal, have been leveraged by threat actors to facilitate the exfiltration of cryptocurrency wallet recovery passwords known as BIP39 mnemonic phrases as part of the BIPClip software supply chain attack campaign that commenced in December 2022, The Hacker News reports.
Threat actors behind the campaign sought to conceal malicious activity, with one of the packages dubbed "mnemonic_to_address" found to only contain "bip39_mnemonic_decrypt" as a dependency, according to a ReversingLabs report. On the other hand, the "public-address-generator" package was noted to have been used alongside the "erc20-scanner" package in enabling the theft of mnemonic phrases. Attackers "were laser focused on compromising crypto wallets and stealing the crypto currencies they contained. That absence of a broader agenda and ambitions made it less likely this campaign would trip up security and monitoring tools deployed within compromised organizations," said researcher Karlo Zanki.
