Checkmarx has found crypto-draining malware on the PyPI platform for a second time.
Cybersecurity firm Checkmarx has alerted the crypto community of malware found uploaded to the platform Python Package Index (PyPI). PyPI is a platform that developers use to upload code for sharing purposes. The malware, embedded into software packages that look legitimate, can drain funds from crypto wallets.
“These packages, bearing names like “AtomicDecoderss,” “TrustDecoderss,” “WalletDecoderss,” and “ExodusDecodes,” masqueraded as legitimate tools for decoding and managing data from an array of popular cryptocurrency wallets,” said Checkmarx in its report. A random PyPI user uploaded the packages, with the malware integrated into them, to the platform to wreak havoc on whoever downloaded said packages. They mimic wallet decoding applications for some of the most popular crypto storage options like Atomic, Trust, Exodus, MetaMask, and more, and went unnoticed.
The malware becomes evident upon close inspection, and Checkmarx mentioned that it drains crypto from PyPI users’ wallets when they call functionalities from the packages. This malware is not new—Checkmarx previously reported PyPI unknowingly harboring it. PyPI then took action to stop new code from being uploaded and prevented new user accounts from being registered until the malicious packages were removed. However, the malware returned in late September, which Checkmarx caught again. The malware-associated packages have been downloaded 3,700 times since.
Malware Finds Deeper Footing in the Crypto Ecosystem
The crypto ecosystem has witnessed growing malware deployments this year, with many masquerading themselves as popularly used platforms, only to drain user funds. A McAfee report found that SpyAgent, malware infecting Android devices, spread due to cybercriminals disguising it within applications resembling popular ones. SpyAgent predominantly targeted South Korean crypto users, while UK users have also unsuspectingly downloaded it. About 280 fake applications were found to be housing the malware.
Another report by Moonlock stated that malware called AMOS was targeted at Mac users, again, found within applications disguising themselves as well-known applications. Researchers found AMOS to be embedded within applications that offer the same feel as Figma, Loom, and Callzy. Even the websites that hosted the fake applications looked like real ones.
Yet another malware was identified by Aqua Security. However, it works differently than crypto drainers. PG_MEM, as it is called, infects Postgres-enabled databases to manipulate databases globally into offering their resources for crypto mining activity. While no crypto is lost, attackers utilize resources that are not theirs to mine blocks and collect mining rewards.