Security researchers have discovered three malicious packages on the Python Package Index (PyPI) that were downloaded over 39,000 times before being removed. The packages were designed to steal sensitive data and validate stolen credit card information.
Two of the packages - bitcoinlibdbfix and bitcoinlib-dev - posed as fixes for the legitimate bitcoinlib module. These packages contained malicious code that would overwrite legitimate commands to steal sensitive database files. The attackers even participated in GitHub discussions trying to convince users to download their fake fixes.
The third and most downloaded package, named "disgrasya", was openly malicious and included functionality for credit card theft. This package was downloaded over 37,000 times and contained a carding script targeting WooCommerce stores.
The disgrasya package specifically targeted merchants using WooCommerce with CyberSource payment gateway. It worked by automatically simulating legitimate shopping behavior - adding products to cart, proceeding to checkout, and testing stolen credit card data. This allowed attackers to verify stolen card details without triggering fraud detection systems.
The script would then send validated credit card information including card numbers, expiration dates, and CVV codes to the attacker's external server.
The name "disgrasya" itself is Filipino slang for "disaster" or "accident" - an apt description for a package designed to facilitate credit card fraud. By publishing the malicious code as a Python package, the attackers created a modular tool that could be easily integrated into larger automated fraud systems.
This incident highlights the ongoing security challenges in public code repositories and the importance of carefully verifying third-party packages before installation. PyPI has since removed all three malicious packages from their repository.