- Cyber Syrup
- Posts
- Malicious Python Packages Found on PyPI Used for Credential Theft and Credit Card Fraud
Malicious Python Packages Found on PyPI Used for Credential Theft and Credit Card Fraud
Cybersecurity researchers have uncovered several malicious Python libraries published on the Python Package Index (PyPI) that were designed to steal sensitive data and test stolen credit card information
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
You’ve heard the hype. It’s time for results.
After two years of siloed experiments, proofs of concept that fail to scale, and disappointing ROI, most enterprises are stuck. AI isn't transforming their organizations — it’s adding complexity, friction, and frustration.
But Writer customers are seeing positive impact across their companies. Our end-to-end approach is delivering adoption and ROI at scale. Now, we’re applying that same platform and technology to build agentic AI that actually works for every enterprise.
This isn’t just another hype train that overpromises and underdelivers. It’s the AI you’ve been waiting for — and it’s going to change the way enterprises operate. Be among the first to see end-to-end agentic AI in action. Join us for a live product release on April 10 at 2pm ET (11am PT).
Can't make it live? No worries — register anyway and we'll send you the recording!
Malicious Python Packages Found on PyPI Used for Credential Theft and Credit Card Fraud
Cybersecurity researchers have uncovered several malicious Python libraries published on the Python Package Index (PyPI) that were designed to steal sensitive data and test stolen credit card information in live e-commerce environments. The findings highlight a growing trend of attackers exploiting open-source ecosystems to distribute malware and fraud tools.
Overview of the Malicious Packages
The compromised packages—bitcoinlibdbfix, bitcoinlib-dev, and disgrasya—were discovered by security firms ReversingLabs and Socket. These libraries collectively received over 39,000 downloads before being removed from PyPI.
Download statistics from pepy.tech show:
bitcoinlibdbfix: 1,101 downloadsbitcoinlib-dev: 735 downloadsdisgrasya: 37,217 downloads
Masquerading as Legitimate Fixes
The first two packages, bitcoinlibdbfix and bitcoinlib-dev, impersonated legitimate updates to a well-known module called bitcoinlib. The attackers attempted to mislead users by:
Joining GitHub issue threads related to
bitcoinlibRecommending users download their malicious "fix" libraries
Once installed, these packages overwrote the legitimate command-line interface (clw cli) and executed malicious code that attempted to exfiltrate sensitive database files from affected systems.
Disgrasya: A Fully-Automated Carding Tool
The third package, disgrasya, took a more direct and openly malicious approach. Discovered by Socket, this package contained automated carding scripts specifically designed to validate stolen credit card data by interacting with WooCommerce stores using CyberSource as a payment gateway.
How Carding Works
Carding refers to the practice of using stolen credit or debit card information to perform unauthorized transactions. Attackers commonly acquire this data through:
Phishing campaigns
Skimming devices
Stealer malware
Dark web marketplaces or carding forums
Once stolen, the card details are tested on real e-commerce platforms to check if they’re still valid. This process, known as automated transaction abuse, allows fraudsters to:
Make low-value test purchases to avoid detection
Use valid cards to buy gift cards or prepaid cards
Resell these for profit, effectively laundering the stolen data
The Mechanics of the Disgrasya Package
The malicious logic in disgrasya was embedded in version 7.36.9 and all versions thereafter. It works by emulating the entire shopping process, including:
Finding a product on a targeted WooCommerce store
Adding the item to the cart
Navigating to the checkout page
Filling in randomized billing data
Entering stolen credit card details
This level of automation allows the attacker to bypass basic fraud detection by simulating a legitimate shopping experience.
Once the transaction is attempted, the script captures the result and exfiltrates the card data—including card number, expiration date, and CVV—to a remote server (railgunmisaka[.]com), controlled by the attacker.
“By embedding this logic inside a Python package published on PyPI and downloaded over 34,000 times, the attacker created a modular tool that could be easily used in larger automation frameworks,” said the Socket Research Team.
Broader Implications and Recommendations
This discovery reinforces the importance of supply chain security in open-source development. With platforms like PyPI playing a crucial role in software distribution, malicious actors are increasingly targeting these repositories to deliver malware disguised as legitimate tools.
Recommendations for Developers and Organizations:
Carefully vet third-party packages before installation
Use tools like dependency scanners or software composition analysis (SCA) to detect anomalies
Monitor PyPI project metadata and author behavior for signs of impersonation or misuse
Leverage sandboxed environments for testing lesser-known packages
“This incident shows that Python developers must be especially vigilant when pulling packages from PyPI—malicious tools can be cleverly disguised and weaponized at scale,” said ReversingLabs.
Conclusion
The malicious Python packages discovered on PyPI illustrate how cybercriminals are using open-source ecosystems not just for malware distribution, but also for automating financial fraud. Whether through credential theft or carding activity, these tools pose a significant risk to both developers and end-users.
Maintaining a strong security posture and staying informed about such threats is essential for defending against supply chain attacks and software-based fraud.