A malicious package named ccxt-mexc-futures was uploaded to the PyPI repository, targeting users of the MEXC cryptocurrency exchange. The package claimed to extend the popular ccxt Python library, which facilitates cryptocurrency trading, but instead rerouted trading orders to a malicious server. This allowed attackers to steal tokens by modifying APIs associated with the MEXC interface. The package had been downloaded over 1,000 times before being removed from the repository.
The attackers exploited three MEXC-related functions in the original ccxt library, creating vulnerabilities that could execute arbitrary code on affected machines. By sending requests to a fraudulent domain, the attackers were able to intercept sensitive information, including API keys and secrets, which were then sent to their malicious server. The package also created entries in the MEXC API, directing all requests to the attacker-controlled domain, greentreeone.com.
This enabled them to hijack crypto tokens and sensitive data from unsuspecting users.
Security researchers have advised anyone who installed the package to revoke potentially compromised tokens and immediately remove it from their systems. This incident highlights the increasing risk of counterfeit packages in open-source repositories like PyPI and npm. Malicious actors are using these packages to infiltrate developer systems, execute reverse shells, and exfiltrate data, posing significant threats to software supply chains.
The attack is part of a broader trend of security risks in open-source ecosystems.
As software supply chain attacks grow more sophisticated, they increasingly involve tools like large language models (LLMs) that can hallucinate non-existent packages. Developers must remain vigilant to avoid introducing malicious dependencies into their codebase, as these threats continue to evolve and expand across various platforms.
Reference:
