Malicious Python packages target popular Bitcoin library

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs .

This week: RL discovers malicious PyPI packages targeting a popular Python Bitcoin library. Also: A recent supply chain attack on GitHub has been linked to a leaked SpotBugs token. 

This Week’s Top Story

Malicious Python packages target popular Bitcoin library

This week, RL threat researchers detected two Python libraries designed to steal sensitive data while posing as fixes for a popular cryptocurrency library. RL Spectra Assure’s machine learning (ML) detection feature identified the two packages posted to the Python Package Index (PyPI), which contain malicious code that is designed to exfiltrate sensitive database files. 

The malicious packages are meant to target a popular Python library, bitcoinlib, which contains features for creating and managing crypto wallets, interacting with the blockchain, running Bitcoin scripts, and more. The open-source library is widely used, with more than 1 million downloads to date — and frequent updates. The packages, bitcoinlibdbfix and bitcoinlib-dev, are named after an issue raised recently related to error messages being generated by bitcoinlib during currency transfers, in which developers called upon the library’s maintainers to address the issue. 

The malicious libraries both attempt a similar attack, overwriting the legitimate clw cli command with malicious code that attempts to exfiltrate sensitive database files.

The developers responsible for the malicious libraries appear to have joined in a discussion with other bitcoinlib developers, and attempted to get users to download the bitcoinlibdbfix library and run it. However, the malicious content within was detected by the package contributors, and the comments were deleted. The second package, bitcoinlib-dev, was uploaded to PyPI shortly after the first package was removed, but it has since been removed.

“The number of new packages that get published (to open-source repositories) on a daily basis is posing a challenge for security organizations, and ML model-based detection is currently the best answer that the security industry can provide."-- Karlo Zanki , Reverse Engineer, RL

(RL Blog)

This Week’s Headlines

Recent GitHub supply chain attack linked to SpotBugs token

New details about a supply chain attack on GitHub that targeted the cryptocurrency exchange Coinbase last month have emerged. Researchers said they believe that the compromise can be traced back to a single token stolen from a SpotBugs workflow that allowed the threat actor to compromise multiple GitHub projects. SpotBugs is a static analysis tool that was breached in November 2024. That breach led to the compromise of Reviewdog, followed by an infection of tj-actions/changed-files. This multi-step compromise serves as a cascading software supply chain attack, which eventually exposed development secrets in 218 repositories. Researchers said they believe the attackers were aiming to breach projects belonging to Coinbase. (BleepingComputer)

CISA warns of new malware targeting Ivanti zero-day

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued an advisory for a new malware variant known as Resurge. Attackers are using the variant to exploit a critical stack buffer overflow vulnerability (CVE-2025-0282) in Ivanti Connect Secure, a remote access VPN. According to CISA, threat actors can use the new Resurge malware variant to create web shells, harvest credentials, create new accounts, initiate password resets and elevate permissions. Resurge also shares similarities with the Spawn malware family, which historically has been used by Chinese nation-state threat actors. The Ivanti vulnerability was discovered by Mandiant researchers back in January 2025, who detected that the flaw was being exploited in the wild by a China-nexus espionage group tracked as UNC5337. (Cybersecurity Dive)

Application security over-alerting requires immediate action

Ox Security analyzed over 100 million application security (AppSec) findings collected from 178 organizations over the course of Q4 2024, yielding telling insights about the state of AppSec tooling and alert fatigue. In a report, Ox said it found that only 2-5% of security alerts require immediate action. However, organizations continue to spend time, money and resources on the remaining 95% of non-critical issues raised by AppSec tooling, the report said. It also found that through context-based prioritization, these false positives can be greatly reduced. When AppSec teams are busy dealing with false positives, teams are likely missing key software supply chain threats that traditional tooling fails to address. (Help Net Security)

Supply chain attack affects UK’s Royal Mail

Attackers announced on a popular data leak forum that they breached the Royal Mail last month, but the UK postal service asserts that the breach has stemmed from a third-party software supply chain attack. A Royal Mail representative said that the incident “is alleged to have affected Spectos, a supplier of Royal Mail.” They also noted that the postal service is working with Spectos to investigate the incident and understand the situation’s full impact. Attackers behind the incident claim to have stolen 144 gigabytes of data from Royal Mail, which include confidential documents, customer details, recordings of Zoom meetings, a WordPress SQL database, and more. Details about the primary attack, and subsequent supply chain attack on Royal Mail, have not yet been revealed. (Cybernews) 

For more insights on software supply chain security, see the RL Blog. 

The Best of RL

Blog | CVEs lose relevance: Get proactive

More cracks in the NVD emerge, making the CVE system less useful. Shift your approach to keep up with software risk. (Read It Here)

Webinar | EU Compliance & Supply Chain Security

Thursday, April 10 at 9:30am ET

The EU is rolling out major cybersecurity regulations — CRA, NIS2, and DORA — to strengthen software supply chain security and third-party risk management (TPRM). Join this webinar and gain valuable insights regarding how to not only achieve compliance, but also proactively detect and mitigate software supply chain threats before they materialize. (Save Your Seat)

Webinar | The Developer’s Guide to Supply Chain Security

Tuesday, April 15 at 11am ET

Join RL’s Kadi (Grigg) McKean as she talks with developer champion Steve Poole and cyber strategist Andy Lewis to break down the fundamentals of developer-centric software supply chain security. The team will explore its unique challenges, and discuss actionable strategies for safeguarding your development process. (Save Your Seat)

For more webinars, see RL’s on-demand library.