- Two malicious Python packages named bitcoinlibdbfix and bitcoinlib-dev have been discovered targeting users of the popular bitcoinlib cryptocurrency library.
- The attackers use social engineering to trick developers by presenting the packages as fixes for a database issue in bitcoinlib while actually stealing sensitive wallet information.
- The attack works by replacing legitimate command-line tools with malicious versions that exfiltrate private keys and wallet data to attacker-controlled servers.
Cybersecurity researchers have uncovered two dangerous Python packages designed to steal cryptocurrency wallet information from developers and users. The malicious packages, identified as bitcoinlibdbfix and bitcoinlib-dev, were found on the Python Package Index (PyPI) masquerading as legitimate fixes for the widely-used bitcoinlib cryptocurrency library while actually containing code that steals sensitive wallet data.
The compromised packages specifically target bitcoinlib, a critical tool for cryptocurrency developers who build applications for creating and managing crypto wallets and interacting with blockchain networks. ReversingLabs researchers Bitcoin-library” target=”_blank” rel=”noreferrer noopener nofollow”>identified these malicious packages using their Spectra platform, which employs machine learning algorithms to detect novel Malware patterns.
The attack represents part of a concerning trend in cryptocurrency-related software compromises, with nearly two dozen similar campaigns observed throughout 2024. Attackers employed classic social engineering techniques, claiming their packages fixed a specific database-related error message that reads "ValueError: Old database version found (0.5 version database automatically."
How The Attack Works
The malicious packages operate by targeting the legitimate "clw" command-line interface tool that manages cryptocurrency wallets. Once installed, the malware first removes any existing clw command using a specific code function designed to identify and delete the legitimate tool:
def remove_existing_clw():
"""Remove existing clw command from system if it exists"""
try:
clw_path = check_output(['which', 'clw'], stderr=sys.stderr).decode().strip()
if clw_path:
os.remove(clw_path)
except CalledProcessError:
pass
After removing the legitimate tool, the malware creates a symbolic link to its own executable. This allows attackers to intercept commands meant for wallet management and harvest sensitive database files containing private keys and wallet information.
Security Implications
The compromised packages create a persistent backdoor mechanism that exfiltrates sensitive wallet data to attacker-controlled servers. This poses serious risks for cryptocurrency developers and users who might unknowingly install these packages while seeking solutions to technical issues.
The attack specifically targets the bitcoinlib database files which contain valuable wallet management information and private keys. By compromising these files, attackers can potentially gain access to cryptocurrency assets or sensitive blockchain data, highlighting the growing sophistication of threats targeting the cryptocurrency ecosystem.
This incident serves as a reminder for developers to carefully verify the authenticity of packages before installation, especially those handling sensitive financial information or cryptocurrency operations.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- BlackRock CEO Warns Stocks Could Plummet 20% Amid Tariff Turmoil
- Tokenized Asset Markets Set to Surge to $18.9T by 2033, BCG-Ripple Report
- Bitcoin Plunges 27% from Peak, Marking Deepest Drawdown of Bull Market
- The Economic Logic Behind Trump’s Aggressive Tariff Policies
- PairMiner Set to Revolutionize Crypto Mining for Passive Income in 2025