IT specialists are the massive victims of a new virus that steals cryptocurrency

Analysts have found malicious code in the packages of the repository of one of the most popular Python programming languages aimed at installing a browser extension that steals cryptocurrency. This was reported by Phylum analysts.

A repository is a server that stores and downloads software. More than 450 packages in the Python repository called PyPI install a malicious extension in the Chrome browser to steal cryptocurrencies. The malicious packages try to pass themselves off as genuine, but differ by only one typo, misleading the victim.

Most often, victims encounter fraudulent copies of bitcoinlib, ccxt, cryptocompare, cryptofeed, solana, and other packages. To complicate the detection of malicious code, the attackers use a new method of obfuscation, using Chinese characters in the package script, experts said.

To intercept user cryptocurrency activity, the malicious script creates a program in the %AppData%Extension folder. The virus searches for shortcuts associated with Google Chrome, Microsoft Edge, Brave, or Opera, intercepts their paths, and inserts the malicious extension into the address.

The next time the browser is launched, the extension is loaded, and the JavaScript-based malicious code starts tracking the data copied to the clipboard. As soon as the virus detects the victim’s attempts to copy someone’s address to send cryptocurrency, the browser extension will immediately forge it to an address belonging to the attacker. According to Phylum, the attackers are monitoring addresses from the Bitcoin, Ethereum, TRON, BNB Chain, Litecoin, XRP, Dash, Bitcoin Cash, and Cosmos blockchain networks.

It is worth reminding that hackers have begun to use ChatGPT artificial intelligence to create viruses. One of the examples provided by Check Point Research describes a Python script that, with some modification, can be turned into a ransomware capable of encrypting data on a user’s computer. Another script created by ChatGPT in Python searches for files of a given type, for example, PDF, on a local machine, compresses them, and sends them to a potential attacker’s server — a standard information theft scenario.