Author

Topic: [Warning]: Malicious PyPi package found, replacing crypto related addresses (Read 155 times)

hugeblack

legendary

Activity: 2464

Merit: 3548

Buy/Sell crypto at BestChange

Quote from: Maus0728 on February 15, 2023, 07:34:27 AM

From what I understand, its because you have installed the legitimate one and not those typosquatted TensorFlow packages that can be properly installed to your machine when any of the following has been entered on your terminal or anaconda notebook.

This makes sense now, generally I only use readonly wallet with my online device, so the false sense of security is not good especially with these viruses that change the receiving address.
The person should be more careful and check the address carefully before sending.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

It looks like they have all been taken down, as I don't see any of them when searching for their names on PyPI.

Quote from: noorman0 on February 15, 2023, 03:22:16 AM

I just found out about the term PyPi with a short google search. Sorry for my limited knowledge of the functionality of this software, wondering what is the degree of chance for an attacker to get at least one user mistake or omission so this attack works, while PyPi users (in my assumption) have an advanced level of technical knowledge compared to the average crypto user?

Actually it just works because a user types pip install instead of pip install . Quote from: Dave1 on February 14, 2023, 08:42:16 PM -snip- So just be careful downloading any chrome extension that is related to crypto, check everything. I think it's not even a browser extension, cmiiw.

I'm curious to know how it even manages to get the browser extension running in the first place. It appears to only work on Chrome browsers and derivatives, and even then, Chrome will alert you when anybody has installed some unknown package, which you can then purge from your system.

nc50lc legendary Activity: 2338 Merit: 5297 Self-proclaimed Genius Re: [Warning]: Malicious PyPi package found, replacing crypto related addresses February 16, 2023, 12:49:30 AM #9 Quote from: Dave1 on February 14, 2023, 08:42:16 PM A new PyPi packages has been discovered by Phylum that targets crypto related wallet address thru typo-squatting. So the new attack includes the following packages: And then once it is installed, it will quietly replace any crypto wallet address copied to the user’s clipboard with the attacker’s controlled wallet addresses. To be more precise: Those packages are the target of typo-squatting which mark them as the "attacked packages" and not included to the new attack. It's a good thing that you've included a link to the article in OP because the ambiguity in the post may cause some misunderstanding (already did?). dkbit98 legendary Activity: 2212 Merit: 7064 Cashback 15% Re: [Warning]: Malicious PyPi package found, replacing crypto related addresses February 15, 2023, 04:01:06 PM #8 Quote from: Dave1 on February 14, 2023, 08:42:16 PM So just be careful downloading any chrome extension that is related to crypto, check everything. Maybe A VM will do to at least minimized the risk. Do not be lazy in protecting our crypto assets. This malicious package is porbably affecting wind0ws OS, so best protection is to change operating system to open source Linux or closed source MacOS. As for web browsers I would install only minimal amount of extensions, something like uBlock Origin is a good idea, but I wouldn't experiment with random add-ons. I would also use separate computer device to use for bitcoin wallets, than you will be much more protected from most malware attacks. Maus0728 legendary Activity: 1876 Merit: 1552 Bitcoin Casino Est. 2013 Re: [Warning]: Malicious PyPi package found, replacing crypto related addresses February 15, 2023, 07:34:27 AM #7 @hugeblack From what I understand, its because you have installed the legitimate one and not those typosquatted TensorFlow packages that can be properly installed to your machine when any of the following has been entered on your terminal or anaconda notebook. Code: teensorflow tennsorflow tenorflow tenosrflow tensofrlow tensoorflow tensorfflow tensorfllow tensorflo tensorfloow tensorfloww tensorflw tensorflwo tensorlfow tensorlow tensorrflow tensroflow tenssorflow tesnorflow tesorflow tnesorflow tnsorflow - https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-replacement-attack witcher_sense legendary Activity: 2310 Merit: 4313 🔐BitcoinMessage.Tools🔑 Re: [Warning]: Malicious PyPi package found, replacing crypto related addresses February 15, 2023, 07:29:32 AM #6 Many of these PyPi packages are very popular amongst cryptocurrency wallet developers, which may result in honest developers unintentionally building malicious cryptocurrency applications. Let me explain. Developing a new application usually implies the usage of third-party modules specifically designed to provide certain functionality. In short, you don't reinvent the wheel if it is already created by someone, you use it in "automobiles" you construct. The problem is that not all developers check the source code of the packages they include in their project; if a third-party application provides required API endpoints, you just connect to them and continue building your project. As a result, we can have numerous applications built on top of cryptocurrency stealers, and that may negatively affect the future of the cryptocurrency field. Of course, it concerns only small-scale projects the codebase of which is not being actively looked at by dozens of developers. hugeblack legendary Activity: 2464 Merit: 3548 Buy/Sell crypto at BestChange Re: [Warning]: Malicious PyPi package found, replacing crypto related addresses February 15, 2023, 07:25:06 AM #5 Quote from: Maus0728 on February 15, 2023, 04:51:28 AM Take, for instance, the TensorFlow package, one of the popular machine learning packages in python. According to pypistats.org, as of February 2023^[1], TensorFlow has been downloaded more than 15,000,000 times in the last 30 days, translating to an average of approximately 600,000 downloads per day. That alone can give you an idea how susceptible developers are when it comes to downloading malicious python packages. [1] https://pypistats.org/packages/tensorflow I have been using TensorFlow package for several months and it is installed on my device, but nothing happened? I did not read the details of what happened, but in general it is better to have a separate computer or phone that works as a hot wallet in addition to cold storage. Using the same computer is a waste of time. If the information is correct, then there must be a third party, because most of these packages work offline. Maus0728 legendary Activity: 1876 Merit: 1552 Bitcoin Casino Est. 2013 Re: [Warning]: Malicious PyPi package found, replacing crypto related addresses February 15, 2023, 04:51:28 AM #4 @noorman0 @Dave1 The python packages that are listed are commonly used in the field of data science and machine learning if I remember it correctly from my previous years at the University. From what I understand, it is not about downloading "browser extension" but rather installing mistype packages thru the official repository for Python packages using the Python's package manager called pip Quote from: noorman0 on February 15, 2023, 03:22:16 AM wondering what is the degree of chance for an attacker to get at least one user mistake or omission so this attack works Many developers or data scientists use these packages, which could result in hundreds of thousands or millions of downloads per day. Knowing this, you can safely assume that some developers could install packages with typos, and some of these typosquatted packages can end up on the computer of data scientists who are also cryptocurrency users as well. Take, for instance, the TensorFlow package, one of the popular machine learning packages in python. According to pypistats.org, as of February 2023^[1], TensorFlow has been downloaded more than 15,000,000 times in the last 30 days, translating to an average of approximately 600,000 downloads per day. That alone can give you an idea how susceptible developers are when it comes to downloading malicious python packages. [1] https://pypistats.org/packages/tensorflow noorman0 hero member Activity: 1764 Merit: 694 [Nope]No hype delivers more than hope Re: [Warning]: Malicious PyPi package found, replacing crypto related addresses February 15, 2023, 03:22:16 AM #3 I just found out about the term PyPi with a short google search. Sorry for my limited knowledge of the functionality of this software, wondering what is the degree of chance for an attacker to get at least one user mistake or omission so this attack works, while PyPi users (in my assumption) have an advanced level of technical knowledge compared to the average crypto user? Quote from: Dave1 on February 14, 2023, 08:42:16 PM -snip- So just be careful downloading any chrome extension that is related to crypto, check everything. I think it's not even a browser extension, cmiiw. mk4 legendary Activity: 2716 Merit: 3817 🪸 NotYourKeys.org 🪸 Re: [Warning]: Malicious PyPi package found, replacing crypto related addresses February 15, 2023, 01:31:59 AM #2 It boggles my mind how lazy people are to double-check wallet addresses. It literally takes like <5 seconds in exchange of you not losing your money from potential clipboard hijacks. Dave1 hero member Activity: 1260 Merit: 515 Re: [Warning]: Malicious PyPi package found, replacing crypto related addresses February 14, 2023, 08:42:16 PM #1 A new PyPi packages has been discovered by Phylum that targets crypto related wallet address thru typo-squatting. So the new attack includes the following packages: And then once it is installed, it will quietly replace any crypto wallet address copied to the user’s clipboard with the attacker’s controlled wallet addresses. https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-replacement-attack As reported, this kind of attacks have been found in the wild since November, but the attack has been increasing. So just be careful downloading any chrome extension that is related to crypto, check everything. Maybe A VM will do to at least minimized the risk. Do not be lazy in protecting our crypto assets. Or maybe this could help: Finding malicious PyPI packages through static code analysis: Meet GuardDog