Malicious Python Packages Target Crypto Wallet Recovery Passwords

A newly discovered campaign called BIPClip distributes malicious Python packages on PyPI that steal BIP39 mnemonic seed phrases from developers. Malicious packages (including bip39_mnemonic_decrypt, mnemonic_to_address, public-address-generator, erc20-scanner, hashdecrypts/hashdecrypt) embed a decrypt_jsBIP39 function and related routines that decode a Base64 C2 URL and exfiltrate mnemonics via HTTP to attacker-controlled servers; code reuse and a linked older package suggest an ongoing supply-chain targeting of cryptocurrency projects, with measured but limited download counts.