Campaign TypoSquatting PyPI Packages with Malicious Packages Containing Crypto Wallet Replacing Malware

Recent reports reveal a resurgence in a previously seen campaign typosquatting legitimate Python PyPI packages with malicious packages.
Image depicting a URL in the browser's address bar.

On February 10, 2023, Phylum security researchers reported a resurgence in a previously seen campaign typosquatting legitimate Python PyPI packages with malicious packages to deliver a malware with cryptocurrency wallet clipboard replacing capabilities. 

Context 

In November 2022, Phylum reported a similar campaign “in which threat actors attempted to replace cryptocurrency addresses in developer clipboards with their own wallet addresses by using Python to write a malicious JavaScript extension that loads anytime a browser is opened on the machine.” Phylum’s key takeaways for the campaign were: 

  • “This attacker significantly increased their footprint in PyPi through automation. Flooding the ecosystem with packages like this will continue. 
  • The use of Chinese characters, or any other Unicode plane for that matter, is an easy misdirection to detect and to dismiss. 
  • Indexing into a Python string by calling the __str__() method is clever. The vast array of Python strings available like this can be used to build up nearly any other string of code that can be used for malicious intent. However, the code must run, and all of these kinds of obfuscation techniques are ultimately hopeless.” 

Technical Details 

According to Phylum researchers, the initial infection vector is via typosquatting, and in the current campaign, the threat actors published at least 451 packages, targeting popular cryptocurrency, finance, and web development packages. 

A key difference for the current campaign, according to the report, is an attempt to obfuscate code analysis through the use of Chinese characters in variable names. 

Community Impact 

This campaign demonstrates the scale increases of cyber threats that malicious actors can achieve through automation, and the continued intent to target popular development vectors for financial gain. Retail and hospitality organizations are advised to maintain situational awareness around cyber threats to Python, especially if they leverage PyPI as part of their development operations. Defenders are advised to remain particularly cautious when dealing with packages confirmed by Phylum as targeted: 

  • aaiohttp 
  • aihottp 
  • aiohhttp 
  • aiohtpt 
  • aiohtt 
  • aiohttpp 
  • aioohttp 
  • aiothtp 
  • aiottp 
  • amtplotlib 
  • aohttp 
  • apndas 
  • atplotlib 
  • bautifulsoup4 
  • bbitcoinlib 
  • beaautifulsoup4 
  • beatuifulsoup4 
  • beautiffulsoup4 
  • beautiflsoup4 
  • beautiflusoup4 
  • beautifullsoup4 
  • beautifulosup4 
  • beautifuloup4 
  • beautifulsooup4 
  • beautifulsop4 
  • beautifulsou4 
  • beautifulsoup44 
  • beautifulsoupp4 
  • beautifulsouup4 
  • beautifulssoup4 
  • beautifulsuop4 
  • beautifusloup4 
  • beautifuulsoup4 
  • beautiifulsoup4 
  • beautiulsoup4 
  • beauttifulsoup4 
  • beauutifulsoup4 
  • beeautifulsoup4 
  • beuatifulsoup4 
  • beutifulsoup4 
  • bicoinlib 
  • bictoinlib 
  • biitcoinlib 
  • bitccoinlib 
  • bitcinlib 
  • bitcionlib 
  • bitcoiinlib 
  • bitcoilib 
  • bitcoilnib 
  • bitcoinlb 
  • bitcoinlbi 
  • bitcoinli 
  • bitcoinlibb 
  • bitcoinliib 
  • bitcoinnlib 
  • bitconilib 
  • bitconlib 
  • bitcooinlib 
  • bitocinlib 
  • bitoinlib 
  • bittcoinlib 
  • btcoinlib 
  • bticoinlib 
  • cccxt 
  • ccolorama 
  • ccryptocompare 
  • ccryptofeed 
  • ccx 
  • ccxtt 
  • ccxxt 
  • cikit-learn 
  • clorama 
  • collorama 
  • coloama 
  • coloarma 
  • coloorama 
  • coloraa 
  • coloramaa 
  • coloramma 
  • colorrama 
  • coolrama 
  • coorama 
  • crptocompare 
  • crptofeed 
  • crpytocompare 
  • crpytofeed 
  • crryptocompare 
  • crryptofeed 
  • crypocompare 
  • crypofeed 
  • crypotcompare 
  • crypotfeed 
  • crypptocompare 
  • crypptofeed 
  • cryptcompare 
  • cryptcoompare 
  • cryptfeed 
  • cryptfoeed 
  • cryptoccompare 
  • cryptocmopare 
  • cryptocmpare 
  • cryptocomapre 
  • cryptocomare 
  • cryptocommpare 
  • cryptocompaare 
  • cryptocompae 
  • cryptocompaer 
  • cryptocompar 
  • cryptocomparee 
  • cryptocomparre 
  • cryptocomppare 
  • cryptocomprae 
  • cryptocompre 
  • cryptocoompare 
  • cryptocopare 
  • cryptocopmare 
  • cryptoeed 
  • cryptoefed 
  • cryptofed 
  • cryptofede 
  • cryptofee 
  • cryptofeedd 
  • cryptofeeed 
  • cryptoocmpare 
  • cryptoocompare 
  • cryptoofeed 
  • cryptoompare 
  • crypttocompare 
  • crypttofeed 
  • crytocompare 
  • crytofeed 
  • crytpocompare 
  • crytpofeed 
  • cryyptocompare 
  • cryyptofeed 
  • csikit-learn 
  • csrapy 
  • cxct 
  • cxt 
  • cyptocompare 
  • cyptofeed 
  • cyrptocompare 
  • cyrptofeed 
  • ebautifulsoup4 
  • ebsockets 
  • ensorflow 
  • erquests 
  • eslenium 
  • etnsorflow 
  • feqtrade 
  • ferqtrade 
  • ffreqtrade 
  • freeqtrade 
  • freqqtrade 
  • freqrade 
  • freqrtade 
  • freqtade 
  • freqtarde 
  • freqtraade 
  • freqtrad 
  • freqtradde 
  • freqtradee 
  • freqtrae 
  • freqtraed 
  • freqtrdae 
  • freqtrde 
  • freqtrrade 
  • freqttrade 
  • fretqrade 
  • fretrade 
  • frqetrade 
  • frqtrade 
  • frreqtrade 
  • fyinance 
  • homeworkte 
  • homeworktee 
  • homeworkteee 
  • homeworkteeee 
  • homeworktest 
  • homeworktestt 
  • homeworktesttt 
  • homeworkwork 
  • iaohttp 
  • ibtcoinlib 
  • itcoinlib 
  • maatplotlib 
  • maplotlib 
  • matlotlib 
  • matlpotlib 
  • matpllotlib 
  • matplolib 
  • matploltib 
  • matplootlib 
  • matplotlb 
  • matplotlibb 
  • matplotliib 
  • matplottlib 
  • matpltlib 
  • matpltolib 
  • matpoltlib 
  • matpplotlib 
  • mattplotlib 
  • mmatplotlib 
  • mtaplotlib 
  • mtplotlib 
  • oclorama 
  • olana 
  • olorama 
  • oslana 
  • panads 
  • panas 
  • pandaas 
  • pandsa 
  • pgame 
  • pinstaller 
  • piynstaller 
  • pnadas 
  • pndas 
  • ppandas 
  • ppygame 
  • ppyinstaller 
  • ppython-binance 
  • ppytorch 
  • pthon-binance 
  • ptorch 
  • ptyhon-binance 
  • ptyorch 
  • pyagme 
  • pygaame 
  • pygae 
  • pygamee 
  • pygamme 
  • pyggame 
  • pygmae 
  • pyhon-binance 
  • pyhton-binance 
  • pyiinstaller 
  • pyinnstaller 
  • pyinsaller 
  • pyinsstaller 
  • pyinstaaller 
  • pyinstalelr 
  • pyinstalle 
  • pyinstalleer 
  • pyinstallerr 
  • pyinstalller 
  • pyinstallr 
  • pyinstallre 
  • pyinstlaler 
  • pyinsttaller 
  • pyintaller 
  • pyintsaller 
  • pyisntaller 
  • pynistaller 
  • pythhon-binance 
  • pythn-binance 
  • pythno-binance 
  • pytho-binance 
  • python-bbinance 
  • python-biance 
  • python-biannce 
  • python-biinance 
  • python-binaance 
  • python-binace 
  • python-binacne 
  • python-binanc 
  • python-binancce 
  • python-binancee 
  • python-binane 
  • python-binanec 
  • python-binannce 
  • python-binnace 
  • python-binnance 
  • python-binnce 
  • python-bnance 
  • python-bniance 
  • python-ibnance 
  • python-inance 
  • pythonn-binance 
  • pythoon-binance 
  • pytoch 
  • pytocrh 
  • pytohn-binance 
  • pyton-binance 
  • pytoorch 
  • pytorcch 
  • pytorchh 
  • pytorh 
  • pytorrch 
  • pytrch 
  • pytthon-binance 
  • pyttorch 
  • pyygame 
  • pyyinstaller 
  • pyython-binance 
  • pyytorch 
  • rcyptocompare 
  • rcyptofeed 
  • reqtrade 
  • rfeqtrade 
  • ryptocompare 
  • ryptofeed 
  • scarpy 
  • sccikit-learn 
  • sccrapy 
  • sciikit-learn 
  • sciikt-learn 
  • sciit-learn 
  • sciki-learn 
  • scikiit-learn 
  • scikit-earn 
  • scikit-elarn 
  • scikit-laern 
  • scikit-larn 
  • scikit-leaarn 
  • scikit-lean 
  • scikit-leanr 
  • scikit-lear 
  • scikit-learnn 
  • scikit-learrn 
  • scikit-leearn 
  • scikit-leran 
  • scikit-lern 
  • scikit-llearn 
  • scikitt-learn 
  • scikkit-learn 
  • scikt-learn 
  • scikti-learn 
  • sckiit-learn 
  • scraapy 
  • scrapyy 
  • scray 
  • scrpay 
  • scrrapy 
  • seelenium 
  • seelnium 
  • seleenium 
  • seleinum 
  • seleium 
  • seleniium 
  • seleniu 
  • seleniumm 
  • seleniuum 
  • selennium 
  • selenum 
  • sellenium 
  • selneium 
  • selnium 
  • sickit-learn 
  • sikit-learn 
  • slana 
  • sleenium 
  • sloana 
  • soalna 
  • soana 
  • solaa 
  • solaan 
  • solaana 
  • solanaa 
  • solanna 
  • sollana 
  • solna 
  • solnaa 
  • soolana 
  • srcapy 
  • sscikit-learn 
  • sscrapy 
  • sselenium 
  • ssolana 
  • teensorflow 
  • tennsorflow 
  • tenorflow 
  • tenosrflow 
  • tensofrlow 
  • tensoorflow 
  • tensorfflow 
  • tensorfllow 
  • tensorflo 
  • tensorfloow 
  • tensorfloww 
  • tensorflw 
  • tensorflwo 
  • tensorlfow 
  • tensorlow 
  • tensorrflow 
  • tensroflow 
  • tenssorflow 
  • tesnorflow 
  • tesorflow 
  • tnesorflow 
  • tnsorflow 
  • vper 
  • vpyer 
  • vvyper 
  • vyepr 
  • vyer 
  • vype 
  • vypeer 
  • vyperr 
  • vypper 
  • vypre 
  • vyyper 
  • wbesockets 
  • webbsockets 
  • webockets 
  • webosckets 
  • websckets 
  • webscokets 
  • websocckets 
  • websocets 
  • websockeets 
  • websockes 
  • websockest 
  • websocketss 
  • websocketts 
  • websockkets 
  • websocktes 
  • websockts 
  • websokcets 
  • websokets 
  • websoockets 
  • webssockets 
  • weebsockets 
  • wesbockets 
  • wesockets 
  • wwebsockets 
  • yffinance 
  • yfiance 
  • yfiannce 
  • yfiinance 
  • yfinaance 
  • yfinace 
  • yfinacne 
  • yfinancce 
  • yfinancee 
  • yfinane 
  • yfinanec 
  • yfinannce 
  • yfinnace 
  • yfinnance 
  • yfinnce 
  • yfnance 
  • yfniance 
  • ygame 
  • yper 
  • ypinstaller 
  • ypthon-binance 
  • ython-binance 
  • ytorch 
  • yvper 
  • yyfinance 

Subscribe to the Blog

Receive news and RH‑ISAC updates for cybersecurity practitioners from retail, hospitality, and other customer-facing companies, straight to your inbox.

Subscribe Now

More Recent Blog Posts

View All Blogs