Cybersecurity researchers warn of a new malware campaign targeting cryptocurrency users. Hackers uploaded malicious Python packages to the PyPI repository and used StackExchange to promote them to unsuspecting victims.
The packages, named after popular blockchain projects like Raydium and Solana, were downloaded over 2,000 times before being removed. Once installed, the packages steal browser data, messages from apps like Telegram and Signal, and cryptocurrency wallet details from services like Exodus and Electrum.
The malware can also take screenshots and steal files with specific keywords, sending everything to a Telegram channel controlled by the attackers.
According to Checkmarx, the attackers exploited the fact that Raydium doesn’t have an official Python library. They used the project’s name for their malicious package, appearing legitimate at first glance.
The attackers then targeted StackExchange, a popular Q&A platform for developers. They created accounts and left comments under relevant threads, promoting their fake packages as helpful tools. The high-quality answers further enticed victims to download the malware.
Researchers believe the impact of this campaign could be significant, with some victims even having their cryptocurrency wallets drained. Notably, traditional antivirus failed to detect the threat, highlighting the importance of code inspection before use.
This incident underscores the dangers of blindly trusting packages found online, even on reputable platforms like PyPI. Users should always verify the author’s credibility and inspect the code before installing any package.