In a new twist on cybercrime, hackers are using popular developer Q&A platforms like Stack Exchange to distribute fake Python packages designed to steal cryptocurrency and sensitive data. This latest campaign targets developers with bogus packages that, once installed, execute malicious code to compromise systems and drain cryptocurrency wallets.
According to Checkmarx researchers Yehuda Gelb and Tzachi Zornstain, the campaign began on June 25, 2024, and specifically targets users involved with Raydium and Solana. The malicious packages identified include:
- raydium (762 downloads)
- raydium-sdk (137 downloads)
- sol-instruct (115 downloads)
- sol-structs (292 downloads)
- spl-types (776 downloads)
These packages, collectively downloaded 2,082 times, have since been removed from the Python Package Index (PyPI) repository.
The malware hidden within these packages acts as a comprehensive information stealer, targeting data such as web browser passwords, cookies, credit card details, cryptocurrency wallets, and information from messaging apps like Telegram, Signal, and Session. It also includes capabilities to capture system screenshots and search for files containing GitHub recovery codes and BitLocker keys. This information is then compressed and sent to two Telegram bots controlled by the attackers.
Additionally, the malware includes a backdoor component that provides attackers with persistent remote access to victims’ machines, allowing for potential long-term exploitation.
The attack chain involves multiple stages, with the “raydium” package listing “spl-types” as a dependency to obscure its malicious intent and appear legitimate.
A key aspect of the attack is the use of Stack Exchange to promote these malicious packages. Hackers posted seemingly helpful answers to developer questions about executing swap transactions in Raydium using Python, directing users to download the malicious packages.
Although the answer has been removed from Stack Exchange, references to “raydium” have been found in another unanswered question posted on July 9, 2024. Additionally, a Medium post titled “How to Buy and Sell Tokens on Raydium using Python: A Step-by-Step Solana Guide,” shared by a user named SolanaScribe on June 29, 2024, also referenced “raydium-sdk.”
It remains unclear when the packages were removed from PyPI, as users have recently commented on the Medium post seeking help with “raydium-sdk.” Checkmarx confirmed to The Hacker News that the post is not authored by the threat actor.
This method of distributing malware through Q&A platforms is not new. In May, Sonatype revealed a similar case where a package named pytoileur was promoted via Stack Overflow to facilitate cryptocurrency theft.
This development highlights how attackers exploit trust in community-driven platforms to propagate malware, leading to widespread supply chain attacks. “A single compromised developer can inadvertently introduce vulnerabilities into an entire company’s software ecosystem, potentially affecting the whole corporate network,” the researchers noted.
The report coincides with Fortinet FortiGuard Labs uncovering a malicious PyPI package called zlibxjson, which stole sensitive information such as Discord tokens, cookies from popular browsers, and stored passwords. The package was downloaded 602 times before being removed from PyPI.
“These actions can lead to unauthorized access to user accounts and the exfiltration of personal data, clearly classifying the software as malicious,” security researcher Jenna Wang explained.
