Users of popular cryptocurrency wallets have been targeted in a supply chain attack involving Python packages relying on malicious dependencies to steal sensitive information, Checkmarx warns.

As part of the attack, multiple packages posing as legitimate tools for data decoding and management were uploaded to the PyPI repository on September 22, purporting to help cryptocurrency users looking to recover and manage their wallets.

“However, behind the scenes, these packages would fetch malicious code from dependencies to covertly steal sensitive cryptocurrency wallet data, including private keys and mnemonic phrases, potentially granting the attackers full access to victims’ funds,” Checkmarx explains.

The malicious packages targeted users of Atomic, Exodus, Metamask, Ronin, TronLink, Trust Wallet, and other popular cryptocurrency wallets.

To prevent detection, these packages referenced multiple dependencies containing the malicious components, and only activated their nefarious operations when specific functions were called, instead of enabling them immediately after installation.

Using names such as AtomicDecoderss, TrustDecoderss, and ExodusDecodes, these packages aimed to attract the developers and users of specific wallets and were accompanied by a professionally crafted README file that included installation instructions and usage examples, but also fake statistics.

In addition to a great level of detail to make the packages seem genuine, the attackers made them seem innocuous at first inspection by distributing functionality across dependencies and by refraining from hardcoding the command-and-control (C&C) server in them.

“By combining these various deceptive techniques — from package naming and detailed documentation to false popularity metrics and code obfuscation — the attacker created a sophisticated web of deception. This multi-layered approach significantly increased the chances of the malicious packages being downloaded and used,” Checkmarx notes.

The malicious code would only activate when the user attempted to use one of the packages’ advertised functions. The malware would try to access the user’s cryptocurrency wallet data and extract private keys, mnemonic phrases, along with other sensitive information, and exfiltrate it.

With access to this sensitive information, the attackers could drain the victims’ wallets, and potentially set up to monitor the wallet for future asset theft.

“The packages’ ability to fetch external code adds another layer of risk. This feature allows attackers to dynamically update and expand their malicious capabilities without updating the package itself. As a result, the impact could extend far beyond the initial theft, potentially introducing new threats or targeting additional assets over time,” Checkmarx notes.

Related: Fortifying the Weakest Link: How to Safeguard Against Supply Chain Cyberattacks

Related: Red Hat Pushes New Tools to Secure Software Supply Chain

Related: Attacks Against Container Infrastructures Increasing, Including Supply Chain Attacks

Related: GitHub Starts Scanning for Exposed Package Registry Credentials