Full Report
Cybersecurity researchers have uncovered malicious libraries in the Python Package Index (PyPI) repository that are designed to steal sensitive information. Two of the packages, bitcoinlibdbfix and bitcoinlib-dev, masquerade as fixes for recent issues detected in a legitimate Python module called bitcoinlib, according to ReversingLabs. A third package discovered by Socket, disgrasya, contained a
Analysis Summary
# Tool/Technique: Malicious PyPI Packages (bitcoinlibdbfix, bitcoinlib-dev, disgrasya)
## Overview
A set of malicious Python packages discovered on the Python Package Index (PyPI) repository. These packages were designed to compromise users through supply chain attacks—masquerading as legitimate fixes or updates for the `bitcoinlib` Python module or, in the case of `disgrasya`, containing an automated carding script targeting WooCommerce stores.
## Technical Details
- Type: Malware/Supply Chain Attack (Malicious Libraries)
- Platform: Python/PyPI ecosystem (affecting developers/systems using these packages)
- Capabilities: Data exfiltration (database files), automated credit card fraud (carding).
- First Seen: Information not explicitly provided beyond the detection timeline (April 2025 context).
## MITRE ATT&CK Mapping
The primary focus is on supply chain compromise and subsequent impact:
- **TA0001 - Initial Access**
- T1195 - Supply Chain Compromise
- T1195.002 - Compromise Software Component (Injecting malicious code into legitimate software registries like PyPI)
- **TA0009 - Collection**
- T1005 - Data from Local System (Exfiltrating database files)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Implied, as stolen data must be sent out)
## Functionality
### Core Capabilities
- **Impersonation/Masquerading:** `bitcoinlibdbfix` and `bitcoinlib-dev` posed as fixes for issues in the legitimate `bitcoinlib` package.
- **Database Exfiltration:** The two `bitcoinlib` counterfeit packages overwrite the legitimate `clw cli` command to attempt exfiltration of sensitive database files upon installation/execution.
- **Automated Carding:** The `disgrasya` package contained a fully automated script for payment fraud validation, specifically targeting WooCommerce stores using the CyberSource payment gateway.
### Advanced Features
- **Social Engineering:** Authors of the counterfeit `bitcoinlib` packages actively engaged in GitHub issue discussions to trick unsuspecting users into downloading and running the malicious library.
- **Automated Fraud Emulation:** The `disgrasya` script emulated legitimate shopping activity to validate stolen credit card data without immediately triggering fraud flags.
## Indicators of Compromise
Note: Specific file hashes, network indicators (C2s), and precise registry keys are not detailed in the provided text.
- File Hashes: [Not provided in the source document]
- File Names: `bitcoinlibdbfix`, `bitcoinlib-dev`, `disgrasya` (Package names)
- Registry Keys: [Not provided in the source document]
- Network Indicators: [Not explicitly provided, but C2 communication is required for exfiltration/carding validation]
- Behavioral Indicators:
- Installation from PyPI of the named packages.
- Attempted execution of overwritten commands (e.g., related to `clw cli`).
- Programmatic interaction with payment gateways (CyberSource).
## Associated Threat Actors
- Actors responsible for creating and publishing the malicious PyPI packages.
- Threat actors involved in automated transaction fraud (carding activity).
- Specific groups are not named in the article.
## Detection Methods
Detection is focused on library integrity and execution anomalies.
- Signature-based detection: Signatures for the specific binary payloads within the package versions.
- Behavioral detection: Monitoring for suspicious execution paths, attempts to access/package database files, or automated interactions with payment processing APIs following package installation.
- YARA rules: [Not provided in the source document]
## Mitigation Strategies
- **Source Verification:** Only install packages from trusted sources, and rigorously check the publisher and version history of dependencies, especially when applying "fixes" found outside official channels (like GitHub issues, unless linked directly from the official project).
- **Access Control:** Implement policies allowing installations only from vetted internal repositories or whitelisted public sources.
- **Principle of Least Privilege:** Limit the permissions of environments running these dependency-heavy applications to restrict scope of data exfiltration.
- **Monitoring:** Monitor system file access patterns and network connections originating from Python execution environments.
## Related Tools/Techniques
- Software supply chain attacks targeting package repositories (e.g., malicious packages on NPM, RubyGems).
- Other automated payment validation scripts/bots utilized in carding operations.