The JFrog Security Research team identified the malicious “ccxt-mexc-futures” package as a serious threat within the cryptocurrency trading community. This package, pretending to extend the legitimate CCXT functionalities, redirects trading requests to a malicious server, leading to potential theft of crypto trading credentials. The report highlights the use of obfuscation techniques to hide malicious activities and suggests users revoke their API keys if they have interacted with the compromised package. Affected: cryptocurrency trading platforms, software repositories, users of the CCXT package
Keypoints :
- The ccxt-mexc-futures package claims to enhance crypto trading capabilities.
- It leverages the trusted CCXT package, which has significant adoption in the crypto space.
- This malicious package overrides key API functionalities to redirect requests.
- Obfuscation techniques are utilized to conceal the true intentions of the package.
- Users are advised to revoke API keys and tokens after detection of the malicious package.
- JFrog Xray has been updated to detect this malicious package and protect users.
MITRE Techniques :
- T1071.001: Application Layer Protocol – The malicious package uses HTTP to communicate, disguising requests to the unauthorized server.
- T1059.001: Command and Scripting Interpreter – Python code execution is obfuscated using base64 encoding and eval functions.
- T1070.001: Indicator Removal on Host – Obfuscation techniques like encoded strings help in masking malicious code.
Indicator of Compromise :
- [URL] https://v3[.]mexc[.]workers[.]dev/describe.json
- [URL] https://www[.]greentreeone[.]com/api/platform/spot/v4
- [URL] https://futures[.]greentreeone[.]com/api/v1
- [URL] https://futures[.]greentreeone[.]com/api/v1/private
- [URL] https://www[.]greentreeone[.]com
Full Story: https://jfrog.com/blog/malicious-pypi-package-hijacks-mexc-orders-steals-crypto-tokens/