![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![Building a tree(s) by combining XML, XSD, EXP files [closed]](https://cdn.sstatic.net/Sites/softwareengineering/Img/apple-touch-icon@2.png?v=1ef7363febba)
![GrandChase tier list of the best characters available [April 2025]](https://media.pocketgamer.com/artwork/na-33057-1637756796/grandchase-ios-android-3rd-anniversary.jpg?#)
.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
.webp?#)
![[U:Fixed] Pixel 9a selfie camera bug causes flickering in low light, but doesn’t affect photos](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/04/Pixel-9a-pink-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=tracking}
![New Beats USB-C Charging Cables Now Available on Amazon [Video]](https://www.iclarified.com/images/news/97060/97060/97060-640.jpg)
![Apple M4 13-inch iPad Pro On Sale for $200 Off [Deal]](https://www.iclarified.com/images/news/97056/97056/97056-640.jpg)
Malicious Python Packages Attacking Popular Cryptocurrency Library To Steal Sensitive Data
Cybersecurity experts have identified a new threat targeting cryptocurrency developers and users. Two malicious Python packages have been discovered on the Python Package Index (PyPI) specifically designed to compromise systems using the popular bitcoinlib library. These packages, identified as bitcoinlibdbfix and bitcoinlib-dev, masquerade as legitimate fixes for the cryptocurrency library while containing code designed to […] The post Malicious Python Packages Attacking Popular Cryptocurrency Library To Steal Sensitive Data appeared first on Cyber Security News.
Cybersecurity experts have identified a new threat targeting cryptocurrency developers and users.
Two malicious Python packages have been discovered on the Python Package Index (PyPI) specifically designed to compromise systems using the popular bitcoinlib library.
These packages, identified as bitcoinlibdbfix and bitcoinlib-dev, masquerade as legitimate fixes for the cryptocurrency library while containing code designed to exfiltrate sensitive database files containing valuable crypto wallet information.
.webp)
The bitcoinlib library serves as a critical tool for developers building cryptocurrency applications, providing essential functionality for creating and managing crypto wallets, interacting with blockchain networks, and executing Bitcoin scripts.
This makes it an especially valuable target for attackers seeking to compromise cryptocurrency assets or gain access to sensitive blockchain data.
ReversingLabs researchers identified these malicious packages through their Spectra platform, which employs advanced machine learning algorithms to detect novel malware by analyzing behavioral patterns.
According to their analysis, both packages were designed as part of a targeted supply chain attack, continuing a troubling trend in cryptocurrency-related software compromises that saw nearly two dozen similar campaigns throughout 2024.
The attackers employed classic social engineering techniques, presenting their malicious packages as solutions to a purported database issue in bitcoinlib.
One package claimed to fix a “ValueError: Old database version found (0.5 version database automatically” error, luring developers seeking quick solutions to implement the compromised code.
Once installed, the malicious packages execute a sophisticated attack by targeting the legitimate command-line interface tool.
Infection Mechanism Analysis
The core of the attack involves overwriting the legitimate “clw” command-line tool with malicious code.
The packages contain functionality to first remove any existing clw command using code like:-
def remove_existing_clw():
"""Remove existing clw command from system if it exists"""
try:
clw_path = check_output(['which', 'clw'], stderr=sys.stderr).decode().strip()
if clw_path:
os.remove(clw_path)
except CalledProcessError:
passAfter removing the legitimate tool, the malware creates a symlink to its own executable, enabling it to intercept commands meant for cryptocoin wallet management.
This provides the attackers with a persistent mechanism to harvest sensitive database files containing private keys and wallet information, which are then exfiltrated to attacker-controlled servers.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
The post Malicious Python Packages Attacking Popular Cryptocurrency Library To Steal Sensitive Data appeared first on Cyber Security News.
