A sophisticated supply chain attack targeting cryptocurrency users has been uncovered in the Python Package Index (PyPI) repository, where ten malicious packages masquerading as wallet recovery and management tools have been harvesting private keys, mnemonic phrases, and sensitive wallet data from unsuspecting developers and crypto enthusiasts.
The Exploit Mechanics
Security researchers at Checkmarx, led by analyst Yehuda Gelb, identified a coordinated campaign in which threat actors published ten deceptive Python packages on PyPI. Each package was crafted to appear as a legitimate utility for extracting mnemonic phrases and decrypting wallet data from popular cryptocurrency wallets, including Atomic Wallet, Trust Wallet, MetaMask, Ronin, TronLink, and Exodus.
The packages employed a dual-layered deception strategy. Six of the identified packages contained a malicious dependency called cipherbcryptors, while others relied on an additional package named ccl_leveldbases. These hidden dependencies executed the actual data theft, allowing the outer packages to appear relatively harmless during casual code inspection. The threat actors also manipulated download statistics, inflating numbers to give the impression that the packages were popular and widely trusted by the community.
Among the most downloaded packages were phantomdecoderss with 449 downloads, cipherbcryptors with 450 downloads, trustdecoderss with 466 downloads, and phantomdecoderss with 449 downloads. In total, the malicious packages accumulated over 3,700 downloads before being removed from the repository.
Affected Systems
The attack specifically targeted users of some of the most widely used cryptocurrency wallets in the ecosystem. Atomic Wallet, Trust Wallet, MetaMask, Ronin Wallet, TronLink, and Exodus were all named in the package descriptions, luring developers working on wallet integration or recovery tools. With Bitcoin trading at approximately $67,929 and Ethereum at $2,506 at the time of the discovery, the potential financial damage from compromised private keys was substantial.
The package descriptions on PyPI were professionally written, complete with installation instructions, usage examples, and in at least one case, even guidance on “best practices” for setting up virtual environments. This level of detail demonstrates an evolving sophistication among threat actors targeting the cryptocurrency supply chain.
The Mitigation Strategy
Upon discovery, Checkmarx coordinated with PyPI administrators to remove all ten packages from the repository. The affected packages included atomicdecoderss, trondecoderss, phantomdecoderss, trustdecoderss, exodusdecoderss, walletdecoderss, ccl-localstoragerss, exodushcates, cipherbcryptors, and ccl_leveldbases.
Security professionals recommend that developers who installed any of these packages immediately rotate their wallet credentials, generate new mnemonic phrases, and transfer funds to new wallet addresses. Running a full system malware scan is also advised, as the packages may have installed additional persistent threats.
Lessons Learned
This incident highlights the growing risk of supply chain attacks in the cryptocurrency ecosystem. As the industry matures and attracts more developer talent, attackers are increasingly targeting the tools and infrastructure that developers rely on daily. The practice of typosquatting and creating convincing decoy packages on popular package managers like PyPI, npm, and others has become a primary attack vector.
Developers should always verify the source and authenticity of packages before installation, check for known maintainers, review commit histories, and use lock files to pin dependencies to verified versions. Organizations should implement automated dependency scanning tools that flag suspicious packages before they enter production environments.
User Action Required
If you have installed any Python package related to crypto wallet recovery or decoding in recent weeks, check the list of malicious packages above. If you find a match, assume your wallet credentials are compromised and take immediate action: move your funds to a new wallet, change all related passwords, and report the incident to your wallet provider. Prevention remains the strongest defense — always verify before you install.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding cryptocurrency protection.
cipherbcryptors and ccl_leveldbases as hidden dependencies is clever. the outer packages looked almost legitimate on first glance
cipherbcryptors sounds like a legit crypto utility library too. the naming was deliberate to pass both human and automated checks
dual dependency layer is becoming the standard for supply chain attacks. the outer package passes code review while the inner one does the stealing
the outer packages had real looking documentation and plausible function names too. this was not some amateur typosquat, it was a targeted operation
targeting atomic, trust, metamask, ronin, tronlink and exodus in one campaign. they cast a wide net
targeting six major wallets in one campaign. the ROI on ten fake packages must have been massive
this is why you should never pip install anything without checking the maintainers and download counts. a package with 5 downloads and one contributor is a red flag
ten packages targeting six different wallets in one campaign. the supply chain attack surface in crypto tooling is massive and nobody is really policing it