In another sign that threat actors are constantly looking for new ways to trick users into downloading malware, it was discovered that the question and answer platform known as Stack Exchange was being abused to lure unsuspecting developers to a fake Python package capable of emptying their cryptocurrency wallets.
“Once installed, the code executes automatically and sets in motion a chain of events that compromises and controls the victim’s system, while simultaneously stealing data and emptying cryptocurrency wallets,” Checkmarks researchers Yehuda Gelb and Tzaki Zornstein said in a report shared with Hacker News.
The campaign, which began on June 25, 2024, targeted cryptocurrency users specifically associated with Raydium and Solana. Below is a list of the malicious packages found as part of the activity:
The package has been downloaded a total of 2,082 times. It is no longer available for download from the Python Package Index (PyPI) repository.
The malware hidden within the package acted as a full-fledged information stealer, stealing a wide range of data, including web browser passwords, cookies, credit card details, cryptocurrency wallets, and information related to messaging apps such as Telegram, Signal and Session.
It also has the ability to capture system screenshots and search for files containing GitHub recovery codes and BitLocker keys. The collected information was compressed and exfiltrated to two different Telegram bots controlled by the threat actor.
Additionally, a backdoor component present within the malware allowed the attackers to gain persistent remote access to the victim’s machine, opening up the possibility of future exploitation and long-term compromise.
The attack chain spans multiple stages, with the “raydium” package listing “spl-types” as a dependency in an attempt to conceal its malicious behavior and give the user the impression that it is legitimate.
What’s notable about this campaign is its use of Stack Exchange as a vector to drive adoption by posting seemingly helpful answers to developer questions related to using Python to perform swap transactions on Raydium, which reference the package in question.
“The attackers maximized their potential reach by selecting high-profile threads with thousands of views,” the researchers said, adding that their goal was “to lend credibility to the package and encourage widespread adoption.”
While the answer no longer exists on Stack Exchange, The Hacker News found a reference to “raydium” in another unanswered question posted to the Q&A site on July 9, 2024. “I’ve been struggling for many nights trying to get swap on my solana network running on Python 3.10.2 with solana, solders and Raydium installed, but I’m not having any luck,” the user said.
References to “raydium-sdk” also appear in a post titled “How to Buy and Sell Tokens on Raydium using Python: A Step-by-Step Solana Guide,” shared on social publishing platform Medium by a user named SolanaScribe on June 29, 2024.
It is currently unclear when the package was removed from PyPI, as just six days ago two other users had replied to the Medium post asking the author for help installing “raydium-sdk.” Checkmarx told Hacker News that the posts were not the work of a threat actor.
This isn’t the first time bad actors have resorted to this method of malware distribution: earlier this year, Sonatype revealed that a package called pytoileur was being promoted through another Q&A service, Stack Overflow, and used to steal cryptocurrency.
Rather, this development is evidence that attackers are leveraging trust in these community-driven platforms to spread malware and launch large-scale supply chain attacks.
“The compromise of a single developer can inadvertently introduce vulnerabilities into a company’s entire software ecosystem, potentially affecting the entire enterprise network,” the researchers said. “This attack should serve as a wake-up call for both individuals and organizations to reevaluate their security strategies.”
This development comes after Fortinet FortiGuard Labs published details of a malicious PyPI package called zlibxjson, which is packed with functionality to steal sensitive information such as Discord tokens, cookies stored in Google Chrome, Mozilla Firefox, Brave, and Opera, and passwords saved in browsers. The library was downloaded a total of 602 times before being removed from PyPI.
“These actions could lead to unauthorized access to user accounts and the theft of personal data, clearly classifying this software as malicious,” security researcher Jenna Wang said.
