Supply-chain threat intelligence

Incident detail

criticalpypi·credential theft·osv

Malicious code in py-base58 (PyPI)

py-base58

Risk score

92

AI summary

Indexed incident for py-base58 (pypi).

Description

py-base58 2.1.3 masquerades as a pure-Python base58 encoder but on first import of the top-level base58 package decodes a ~640KB base64-embedded Linux ELF binary from base58/_payload.py, writes it to ~/.config/.npm-cache/ under a name masquerading as a system daemon (e.g. systemd-journald, nvidia-persistenced, docker-containerd), chmods it 0777, launches it, and installs a user crontab entry re-executing it every 12 hours. The init.py hook then removes the package's own.dist-info/.egg-info directories from site-packages so pip list and pip show no longer reveal the package. Strings in the dropped binary identify it as a cryptocurrency-wallet stealer targeting BIP-39 mnemonics and keystore files for Phantom, MetaMask, Ledger, and Exodus, and paths including ~/.config/solana/id.json, ~/.ethereum/keystore, and ~/.foundry/keystores; harvested material is encrypted to an embedded attacker RSA public key and uploaded to public file hosts api.pinata.cloud (IPFS pinning), uguu.se, temp.sh, and transfer.sh. The package's declared purpose (base58 encoding) has no legitimate need to drop a native binary, schedule cron persistence, or scrub its own installation metadata.

The package embeds an executable stealing cryptocurrency wallets data. During import, code saves the executable under a name suggesting system utility and configures cron to run it periodically. The exfiltrated data is encrypted using embedded RSA code before uploading to file-sharing services or IPFS.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-py-base58

Reasons (based on the campaign):

  • crypto-related

  • exfiltration-crypto

  • persistence

Technical details

Affected versions

=2.1.3=2.1.4

Indicators

  • affected version=2.1.375%
  • affected version=2.1.475%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents