Researchers specializing in cybersecurity have discovered malicious libraries within the Python Package Index (PyPI) repository, designed to steal sensitive information from users.
According to ReversingLabs, two packages, namely bitcoinlibdbfix and bitcoinlib-dev, disguise themselves as solutions to recent issues found in a legitimate Python module called bitcoinlib. On the other hand, a third package, discovered by Socket, known as disgrasya, was found to contain a fully automated carding script targeting WooCommerce stores.
Before being removed, the packages garnered hundreds of downloads, as per statistics from pepy.tech.
ReversingLabs explained, “The malicious libraries both attempt a similar attack, overwriting the legitimate ‘clw cli’ command with malicious code that attempts to exfiltrate sensitive database files.”
An interesting aspect of this incident is that the creators of the counterfeit libraries attempted to deceive unsuspecting users by joining a GitHub issue discussion and encouraging them to download the fake fix and run the library.
In contrast, disgrasya was found to be openly malicious, making no attempt to conceal its carding and credit card information-stealing functionality.
According to the Socket Research Team, “The malicious payload was introduced in version 7.36.9, and all subsequent versions carried the same embedded attack logic.”
Carding, also known as credit card stuffing, is a form of automated payment fraud where fraudsters test a bulk list of stolen credit or debit card information against a merchant’s payment processing system to verify breached or stolen card details, falling under the broader category of automated transaction abuse.
A common source for stolen credit card data is a carding forum, where credit card details pilfered from victims using methods like phishing, skimming, or stealer malware are advertised for sale to other threat actors to further criminal activity.
Once the cards are found to be active, scammers use them to buy gift cards or prepaid cards, which are then resold for profit. Threat actors also test the cards’ validity by attempting small transactions on e-commerce sites to avoid being flagged for fraud by the card owners.
The rogue package identified by Socket is designed to validate stolen credit card information, specifically targeting merchants using WooCommerce with CyberSource as the payment gateway.
The script achieves this by mimicking legitimate shopping activity, programmatically finding a product, adding it to a cart, navigating to the WooCommerce checkout page, and filling the payment form with randomized billing details and the stolen credit card data.
By mimicking a real checkout process, the idea is to test the validity of the plundered cards and exfiltrate relevant details, such as the credit card number, expiration date, and CVV, to an external server under the attacker’s control (“railgunmisaka[.]com”) without attracting the attention of fraud detection systems.
“While the name might raise eyebrows to native speakers (‘disgrasya’ is Filipino slang for ‘disaster’ or ‘accident’), it’s an apt characterization of a package that executes a multi-step process emulating a legitimate shopper’s journey through an online store in order to test stolen credit cards against real checkout systems without triggering fraud detection,” Socket explained.
“By embedding this logic inside a Python package published on PyPI and downloaded over 34,000 times, the attacker created a modular tool that could be easily used in larger automation frameworks, making disgrasya a powerful carding utility disguised as a harmless library.”
