Cybersecurity researchers revealed a malicious package loaded to the Python Package repository designed to execute trading orders on Mexc Exchange cryptocurrency on a malicious server and theft of tokens.
Package, CCXT-MEXC-FUTURS, suggests being an extension built on the popular Python library called ccxt (Short for cryptocurrency exchange trading) used to connect and trade with several cryptocurrency exchanges and facilitate payments processing services.
The malicious package is no longer available on Pypi but statistics on Pepy.Tech shows that it was loaded at least 1065 times.
“The authors of the CCXT-MEXC-Futures package claim to the Readme file that it extends the CCXT package on Support for “futures” trade On the Mexc “Jfrog Guy Royal Researcher – Note In a report that shared with Hacker News.
However, a deeper study of the library showed that it specifically canceled two API associated with the Mexc interface – contract_private_post_order_submit and docrt_private_order_cancel – and introduces a new spot4_private_post_order_order.
Doing this, the idea is to trick the developers to call these end points API to create, cancel or place the MEXC sharing order and furtively perform malicious action in the background.
Malicious modifications, in particular, focus on three different MEXC features, are present at the CCXT original library. ֵ Describe, sign and prepare_request_headers.
This allows you to execute an arbitrary code on the local machine on which the package is installed, effectively receiving the useful load of JSON from a fictitious domain that issues Mexc (“v3.mexc.workers (.) Dev”) containing configuration to direct the website overcome API to the salt platform (“Greentree.) Recovers on the site actually.
“The package creates records in API to integrate Mexc, using API, which directs the Greentreene Domain (.) COM, not on the Mexc.com site,” the royal said.
“All requests are redirected to the domain created by the attackers, allowing them to steal all the crypto victim and confidential information transmitted in the request, including API keys and secrets.”
Moreover, the fraudulent package is designed to send the MEXC API key and the secret key to the domain controlled by the attacker, each time the request is sent to create, cancel or order.
Users who have installed CCXT-MEXC-Futures are recommended to withdraw any potentially disturbed tokens and with the immediate deletion of the package.
Development comes as a socket disclosed This threat of actors use fake packages in NPM, Pypi, Go and Maven Ecosystems to launch the reverse shell to maintain the persistence and operation.
“Unbearable developers or organizations can unintentionally incorporate vulnerabilities or malicious dependencies in their code base, which may allow tangible data or system sabotage if not detected,” the software security company said.
From this also follows new studies that deepen into how big linguistic models (LLMS) nourish generative artificial intelligence (AI) may endanger a Software supply network By hallucination of non -existent packages and recommended them to developers.
A The threat of supply chain Enaches the game when malicious actors are registered and publishing packages registered with malicious programs with hallucinated names for storage Slopsquatting.
Academic study find This “average percentage of hallucinated packages is at least 5.2% for commercial models and 21.7% for open source models, including the stunning 205 474 unique examples of the packages, which further emphasizes the severity and extensive threat.”
