Cybersecurity researchers have uncovered malicious libraries in the Python Package Index ( PyPI ) repository that are designed to steal sensitive information.
Two of the plans, bitcoinlibdbfix and bitcoinlib-dev, masquerade as fixes for new issues detected in a reasonable Python component called bitcoinlib, according to . A second offer by Socket, disgrasya, contained a fully automated cutting text targeting WooCommerce businesses.
The items attracted thousands of downloads before being taken down, according to figures from pepy. technology-
” The malignant books both attempt a similar attack, overwriting the genuine’ clw basic ‘ control with malicious code that tries to exfiltrate sensitive collection files”, ReversingLabs said.
In an interesting twist, the authors of the false libraries are said to have joined a GitHub topic discussion and unsuccessfully attempted to trick unsuspecting users into downloading the alleged repair and running the library.
On the other hand, disgrasya has been found to be explicitly harmful, making no effort to conceal its frisking and credit card information grabbing features.
” The malicious load was introduced in edition 7.36.9, and all subsequent editions carried the same integrated attack logic”, the Socket Research Team said.
, also called , refers to an automated form of payment fraud in which fraudsters test a bulk list of stolen credit or debit card information against a merchant’s payment processing system to verify breached or stolen card details. It falls under a broader attack category referred to as automated transaction abuse.
A typical source for stolen credit card data is a , where credit card details pilfered from victims using various methods like phishing, skimming, or stealer malware are to further criminal activity.
Once they are found to be active ( i. e. not reported lost, stolen, or deactivated ), scammers use them to buy gift cards or prepaid cards, which are then resold for profit. Threat actors are also known to test if the cards are valid by attempting small transactions on e-commerce sites to avoid being flagged for fraud by the card owners.
The rogue package identified by Socket is designed to validate stolen credit card information, particularly targeting merchants using WooCommerce with CyberSource as the payment gateway.
The script achieves this by emulating the actions of a legitimate shopping activity, programmatically finding a product, adding it to a cart, navigating to the WooCommerce checkout page, and filling the payment form with randomized billing details and the stolen credit card data.
In mimicking a real checkout process, the idea is to test the validity of the plundered cards and exfiltrate the relevant details, such as the credit card number, expiration date, and CVV, to an external server under the attacker’s control ( “railgunmisaka [. ] com” ) without attracting the attention of fraud detection systems.
” While the name might raise eyebrows to native speakers (‘ disgrasya’ is Filipino slang for’ disaster’ or ‘ accident ‘), it’s an apt characterization of a package that executes a multi-step process emulating a legitimate shopper’s journey through an online store in order to test stolen credit cards against real checkout systems without triggering fraud detection”, Socket said.
” By embedding this logic inside a Python package published on PyPI and downloaded over 34, 000 times, the attacker created a modular tool that could be easily used in larger automation frameworks, making disgrasya a powerful carding utility disguised as a harmless library”.