Cybersecurity researchers have disclosed malicious packages uploaded to a Python Package Index (PYPI) repository designed to steal transaction orders posted on MEXC Cryptocurrency Exchange with malicious servers.
The package, CCXT-MEXC-Futures, claims to be an extension built on top of the popular Python library named CCXT (short for cryptocurrency exchange trading).
Malicious packages are no longer available on Pypi, but Pepy.tech statistics show that they have been downloaded at least 1,065 times.
“The authors of the malicious CCXT-MEXC-FUTURES package claim in their README file that they will extend the CCXT package to support ‘futures’ trading in MEXC,” says Korolevski, a researcher at JFROG, in a report shared with Hacker News.
However, a deeper look into the library revealed that it specifically overrides the two APIs associated with the MEXC interface -Contract_Private_Post_order_Submit and contract_post_order_cancel-, introducing a new name named Spot4_private_post_order_place.
In doing so, you trick the developer into invoking these API endpoints to create, cancel or place transaction orders in MEXC Exchange, and stealthly perform malicious actions in the background.
The malicious changes are specifically targeted at three different MEXC-related features that exist in the original CCXT library. Describe, sign, and prepare dextlive_Request_Headers.
This allows you to run arbitrary code on the local machine where the package is installed and effectively retrieve the JSON payload from a fake domain that is impersonating MEXC (“v3.mexc.workers[.]dev “), which includes configurations that direct overridden APIs towards malicious third-party platforms (” Greentreeone[.]com “) in contrast to the actual MEXC website.
“The package creates an entry in the API for MEXC integration.[.]”Mexc site not mexc.com, not com,” Korolevsky said.
“All requests will be redirected to the domain set by the attacker and can hijack all the victim’s crypto tokens, including API keys and secrets, and all the sensitive information transferred in the request.”
Additionally, the rogue package is designed to send MEXC API keys and secret keys to domains controlled by attackers.
Users who have installed ccxt-mexc-futures are advised to cancel potentially compromised tokens and remove packages with immediate effect.
This development occurs because Socket reveals that it is taking advantage of counterfeit packages across the NPM, PYPI, GO, and Maven ecosystem to launch an inverse shell to maintain persistence and extend data.
“An unsuspecting developer or organization may incorrectly include vulnerabilities or malicious dependencies in the codebase.
It also follows new research that delves into the potential for large-scale language models (LLMS) powering generative artificial intelligence (AI) tools to risk the software supply chain by hallucinating non-existent packages and recommending them to developers.
A supply chain threat arises when a malicious actor registers and publishes hallucination names, registers and publishes malware-covered packages in an open source repository, infects the developer system in the process.
Academic studies show that “the average percentage of hallucination packages is at least 5.2% for the commercial model and 21.7% for the open source model, including a staggering 205,474 unique examples of hallucination package names, further highlighting the severity and prevalence of this threat.”
Source link
