BIPClip: Python Packages on PyPI Infected to Steal Cryptocurrency Wallet Recovery Phrases
Plus, WordPress Plugin Vulnerabilities Fuel Malware Campaigns, Infecting Thousands of Sites
Security Researchers Uncover Sophisticated Software Supply Chain Attack Aiming to Compromise Crypto Assets, Highlighting Risks in Open-Source Repositories
A set of seven packages discovered on the Python Package Index (PyPI) repository has been found to harbor malware designed to steal BIP39 mnemonic phrases, crucial for recovering private keys of cryptocurrency wallets. ReversingLabs has dubbed the software supply chain attack campaign as BIPClip, noting that the packages collectively amassed 7,451 downloads before being removed from PyPI.
According to security researcher Karlo Zanki, the attack, active since December 4, 2022, targets developers involved in cryptocurrency wallet generation and security projects, reflecting the persistent interest of threat actors in crypto-related supply chain attacks.
In a bid to evade detection, one of the packages, mnemonic_to_address, appeared benign but listed bip39-mnemonic-decrypt as a dependency, containing the malicious component. The malware operates by exfiltrating stolen mnemonic phrases to a server controlled by the threat actors.
Additionally, packages such as public-address-generator and erc20-scanner serve as lures to transmit stolen data to the same command-and-control (C2) server. Another package, hashdecrypts, functions independently, harvesting data through near-identical code.
ReversingLabs uncovered references to a GitHub profile named "HashSnake," featuring a repository named hCrypto, advertised as a tool to extract mnemonic phrases from crypto wallets. The campaign, ongoing for over a year, indicates a concerted effort by threat actors to compromise crypto assets.
Furthermore, the HashSnake account maintains a presence on Telegram and YouTube, promoting malicious tools such as xMultiChecker 2.0, emphasizing the threat posed by organized cybercriminals within open-source ecosystems.
These findings underscore the risks inherent in open-source repositories, exacerbated by the exploitation of abandoned projects by threat actors. The case serves as a reminder for developers and organizations to remain vigilant against software supply chain attacks and adopt robust security measures to safeguard against such threats.
Exploitation of Popup Builder and Ultimate Member Plugins Puts WordPress Sites at Risk, Highlighting Urgency for Patching and Vigilance
A new malware campaign exploiting a high-severity security flaw in the Popup Builder plugin for WordPress has infected more than 3,900 sites within three weeks, as reported by Sucuri. Orchestrated from domains registered since February 12, 2024, the attacks capitalize on CVE-2023-6000, allowing the injection of malicious JavaScript code.
The malware campaign, identified by security researcher Puja Srivastava, injects two variants of malicious code aimed at redirecting site visitors to phishing and scam pages. WordPress site owners are urged to maintain up-to-date plugins and conduct scans for suspicious code or users to mitigate risks.
This incident occurs alongside Wordfence's disclosure of a high-severity cross-site scripting (XSS) vulnerability in the Ultimate Member plugin (CVE-2024-2123), affecting versions up to 2.8.3. Exploitation of this flaw, characterized by insufficient input sanitization, could grant unauthenticated attackers administrative user access on vulnerable sites.
The Ultimate Member vulnerability follows a similar flaw (CVE-2024-1071) addressed in version 2.8.3, highlighting the ongoing security challenges faced by WordPress plugins. Additionally, a file upload vulnerability in the Avada WordPress theme (CVE-2024-1468) has been discovered, allowing authenticated attackers to upload arbitrary files for potential remote code execution.
These incidents underscore the critical need for WordPress site owners to promptly apply security patches and remain vigilant against emerging threats to safeguard their websites from exploitation and malware infections.