Skip to main content

Malicious actors have launched an ongoing campaign to infect developer systems with clipper malware. These actors have published more than 451 unique Python packages on the official Python Package Index (PyPI) repository to achieve their goal, according to software supply chain security company Phylum. The PyPI repository is the largest repository of open-source software packages for the Python programming language and is used by millions of developers worldwide.

Phylum initially disclosed this campaign in November 2022. The campaign uses typosquatting to mimic popular Python software packages such as beautifulsoup, bitcoinlib, cryptofeed, matplotlib, pandas, pytorch, scikit-learn, scrapy, selenium, solana, and tensorflow. After installation, a malicious JavaScript file is dropped to the system and executed in the background of any web browsing session. When a developer copies a cryptocurrency address, the address is replaced in the clipboard with the attacker’s address.

The malware creates a Chromium web browser extension in the Windows AppData folder and writes to it a rogue JavaScript file and a manifest.json file that requests users’ permissions to access and modify the clipboard. The targeted web browsers include Google Chrome, Microsoft Edge, Brave, and Opera. The malware modifies browser shortcuts to load the add-on automatically upon launch using the “–load-extension” command line switch.

The ultimate goal of the attacks is to hijack cryptocurrency transactions initiated by the compromised developer and reroute them to attacker-controlled wallets instead of the intended recipient. This can lead to significant financial losses for the victim. The latest set of Python packages exhibits a similar, if not the same, modus operandi, and is designed to function as clipboard-based crypto wallet replacing malware. However, the obfuscation technique used to conceal the JavaScript code has been modified.


Chinese ideographs in the code

Chinese ideographs in the code

Phylum notes that the attackers have significantly increased their footprint in PyPI through automation. They have flooded the ecosystem with packages like these and are expected to continue to do so. The findings coincide with a report from Sonatype, which found 691 malicious packages in the npm registry and 49 malicious packages in PyPI during the month of January 2023 alone.

This development illustrates the growing threat that developers face from supply chain attacks, with adversaries relying on methods like typosquatting to deceive users into downloading fraudulent packages. This campaign is an alarming reminder of the need for better supply chain security practices and the importance of regularly auditing the software packages that developers use. Developers must be cautious and check the authenticity of the packages they download and ensure that the packages they use are from a trustworthy source.

Browser extension script to hijack cryptocurrency transactions

Browser extension script to hijack cryptocurrency transactions

CryptoArmor helps protect targeted attacks on digital asset firms like Clipper Malware. CryptoArmor cybersecurity automates and simplifies security for digital asset firms. Advantaged managed protection against advanced attacks. Contact CryptoArmor to get a free demo and free assessment for security compliance management, cybersecurity risk assessment, security program building, advanced penetration testing, and detection incident response services.

CryptoArmor is cybersecurity company based in Austin, Texas. CryptoArmor offers advanced cybersecurity protection for Digital Asset Firms, Crypto Mining Companies, and Financial Institutions. Protection Against Tomorrow’s Attacks. Today.

Contact CryptoArmor:


Leave a Reply