Member-only story

Busted in 20 Minutes: How Uptycs XDR Unmasked a 6-Package Crypto Stealer Campaign on PyPI

--

In a sophisticated supply-chain attack, a single threat actor — operating under the alias aaccb777 (also known as smileyyuu)—successfully uploaded a suite of six malicious packages to the Python Package Index (PyPI). While these packages masqueraded as helpful SDKs for Solana, Ethereum, and Tron, their true purpose was to harvest private keys and drain wallets.

Press enter or click to view image in full size

By leveraging the Uptycs XDR platform, I was able to “bust” the entire campaign by identifying common behavioral signatures across all six projects. Here is a deep dive into how the attack functioned and how modern XDR can stop it.

The "Dirty Half-Dozen": The Malicious Suite

The attacker released six packages simultaneously to cast as wide a net as possible across the developer community:

1. solana-py-sdk: Targets Solana developers.
2. eth-wallet-kit: Targets Ethereum developers.
3. tron-energy-sdk: Targets Tron ecosystem developers.
4. web3-tool-sdk: A generic target for Web3 developers.
5. crypto-bot-utils: Targets developers building automated trading bots.
6. wallet-scanner-pro: Deceptively marketed as a security utility.