PyPI Hit by Wave of Malicious Packages, 39,000 Downloads and Counting

Cybersecurity researchers have discovered some nasty libraries lurking in the Python Package Index (PyPI). These malicious packages are designed to do some serious damage: stealing your sensitive info and even testing stolen credit card details.

Two of these troublemakers, bitcoinlibdbfix and bitcoinlib-dev, are cleverly disguised as fixes for recent issues found in a legitimate Python module called bitcoinlib. That's according to a report from ReversingLabs. And there's more: a third package called disgrasya, unearthed by Socket, packs a fully automated carding script that goes after WooCommerce stores.

Before they were taken down, these malicious packages were downloaded hundreds of times, according to pepy.tech:

• bitcoinlibdbfix - 1,101 downloads
• bitcoinlib-dev - 735 downloads
• disgrasya - a whopping 37,217 downloads

"Both malicious libraries attempt a similar attack," ReversingLabs explained. "They overwrite the legitimate clw cli command with malicious code that tries to steal sensitive database files."

Here's a weird twist: the creators of these fake libraries even joined a GitHub discussion and tried (but failed!) to trick unsuspecting users into downloading their bogus fixes and running the malicious code.

On the other hand, disgrasya doesn't even try to hide its evil intentions. It's openly malicious, with carding and credit card information stealing baked right in.

"The malicious payload showed up in version 7.36.9, and every version after that carried the same attack code," said the Socket Research Team.

What's carding, you ask? Carding, also known as credit card stuffing, is an automated type of payment fraud. Crooks use it to test lists of stolen credit or debit card numbers against online stores to see which ones still work. It's a type of automated transaction abuse.

Where do they get those stolen credit card numbers? A common source is a carding forum. These are online marketplaces where stolen credit card details, obtained through phishing, skimming, or malware, are sold to other criminals.

Once the criminals find cards that are still active (not reported lost or stolen), they use them to buy gift cards or prepaid cards, which they then resell for profit. They also might try small transactions on e-commerce sites to see if the cards are valid, hoping to avoid getting flagged by the card owners.

The malicious disgrasya package discovered by Socket is designed to validate stolen credit card info, specifically targeting merchants who use WooCommerce with CyberSource as their payment gateway.

The script mimics real shopping activity. It finds a product, adds it to the cart, goes to the WooCommerce checkout, and fills in the payment form with fake billing details and the stolen credit card info.

By pretending to be a real customer, the idea is to test the stolen cards and steal the important details (card number, expiration date, CVV) without setting off fraud detection systems. This info is then sent to a server controlled by the attacker (railgunmisaka[.]com).

"While the name might seem strange to native speakers ('disgrasya' is Filipino slang for 'disaster' or 'accident'), it's a perfect description of a package that goes through all the steps of a real shopper's journey to test stolen credit cards against real checkout systems without getting caught by fraud detection," Socket explained.

"By putting this logic inside a Python package on PyPI that was downloaded over 34,000 times, the attacker created a modular tool that's easy to use in bigger automation frameworks. That makes disgrasya a powerful carding tool disguised as a harmless library."