Multiple Malicious Python Packages Targeting Bittensor Crypto Developers
Table of Contents
TL;DR
Multiple malicious Python packages targeting crypto developers and their applications were discovered on PyPI. The packages were used to steal funds by executing a stealthy staking operation. In this specific case, the attackers hooked a legitimate staking function to redirect the funds to their own wallet. The attack leveraged typosquatting to target the popular bittensor package.
Following malicious packages were disclosed by GitLab Vulnerability Research Team:
bitensor@9.9.4bittenso-cli@9.9.4qbittensor@9.9.4bitensor@9.9.5bittenso@9.9.5
How SafeDep can protect developers?
SafeDep open source tools especially vet and pmg can help protect developers from malicious packages and other open source software supply chain attacks.
Our automated systems flagged the packages as suspicious due to multiple signals, including identifying the malicious code and intention in typosquatting packages. See example
- Hardcoded destination wallet address
5FjgkuPzAQHax3hXsSkNtue8E7moEYjTgrDDGxBvCzxc1nqR - Forced
transfer_all=Trueindicating operations without user consent
| Malicious Package | SafeDep Analysis | Flagged At |
|---|---|---|
bitensor@9.9.4 | Link | 8/6/2025, 2:53:48 AM |
bittenso-cli@9.9.4 | Link | 8/6/2025, 2:59:52 AM |
qbittensor@9.9.4 | Link | 8/6/2025, 3:03:45 AM |
bitensor@9.9.5 | Link | 8/6/2025, 3:16:03 AM |
bittenso@9.9.5 | Link | 8/6/2025, 3:17:10 AM |
SafeDep vet alerted users in CI/CD pipelines when trying to add any of the compromised package through a PR.
SafeDep pmg will alert developers when trying to install any of the compromised package.
How to protect your project?
At SafeDep, we believe code is the source of truth. We perform code analysis to detect vulnerabilities and malicious code in open source packages. If that is not feasible, general security best practices can be used to protect against common open source software supply chain attacks.
- Always vet open source packages for vulnerabilities and malicious code before use
- Ensure branch protection rules require code review before merging
- Establish trust on packages through its popularity, community or code review
- Avoid using most recently released package versions
- Prefer using open source packages only from trusted sources
SafeDep vet seamlessly integrates with your CI/CD pipeline and alerts you when trying to add any of the compromised package through a PR. SafeDep pmg will alert developers when trying to install any of the compromised package.
References
- pypi
- oss
- malware
- crypto
Author
SafeDep Team
safedep.io
Share
The Latest from SafeDep blogs
Follow for the latest updates and insights on open source security & engineering
Bitwarden CLI Supply Chain Compromise
A technical writeup of the malicious `@bitwarden/cli@2026.4.0` release linked to the Checkmarx campaign. Covers the poisoned publish path, loader changes, credential theft, GitHub abuse, and...
ixpresso-core: Windows RAT Disguised as a WhatsApp Agent
ixpresso-core poses as an AI WhatsApp agent on npm but installs Veltrix, a Windows RAT that steals browser credentials, Discord tokens, and keystrokes via a hardcoded Discord webhook.
Malicious Pull Requests: A Threat Model
A compact threat model of the malicious pull request as a supply chain attack primitive against GitHub Actions: attacker, goals, assets, controllable surface, and an attack vector taxonomy (V1...
PMG dependency cooldown: wait on fresh npm versions
Package Manager Guard (PMG) blocks malicious installs and now supports dependency cooldown, a configurable window that hides brand-new npm versions during resolution so installs prefer older,...
Ship Code.
Not Malware.
Start free with open source tools on your machine. Scale to a unified platform for your organization.
