Researchers found more than 20 malicious packages in the PyPI directory aimed at stealing cryptocurrency. The packages masqueraded as popular libraries.
A total of 26 packages were found in PyPI, containing malicious code to steal cryptocurrency from users. The packages contained a setup.py file with an obfuscated script that examines a user's clipboard for cryptocurrency identifiers.
If the buffer detected such data, the script replaced it with the attacker's identifiers. The attack was based on the idea that the user would not double-check the copied text, insert it in the payment field, and transfer the funds.