加密货币行业仍然是软件供应链攻击的主要目标

当涉及软件供应链攻击的频率和复杂性时，很少有行业可以与加密货币行业进行比较。

When it comes to the frequency and sophistication of software supply chain attacks, few industries can compare with the cryptocurrency industry. As Balena’s 2025 Software Supply Chain Security Report notes: In 2024, there were close to two dozen sustained supply chain campaigns designed to compromise cryptocurrency applications, crypto owners’ wallets and trading platforms.

当涉及软件供应链攻击的频率和复杂性时，很少有行业可以与加密货币行业进行比较。正如Balena的2025年软件供应链安全报告所指出的那样：2024年，旨在损害加密货币应用程序，加密货币所有者的钱包和交易平台的近二打持续的供应链活动。

In 2025, there is no change in that trend line. A string of malicious software supply chain campaigns have targeted developers working on crypto-related applications. The latest popped onto the Balena research team’s radar last week when automated machine learning (ML) detection features in Balena’s Spectra platform identified two malicious Python packages posted to the Python Package Index (PyPI) containing code designed to exfiltrate sensitive database files.

在2025年，这种趋势线没有变化。一系列恶意软件供应链活动已针对从事加密相关应用程序的开发人员。上周，当Balena Spectra Platform中的自动化机器学习（ML）检测功能上，最新的弹出了Balena研究团队的雷达，确定了两个恶意的Python软件包发布到Python软件包索引（PYPI），其中包含旨在删除敏感数据库文件的代码。

Here’s how the crypto malware was discovered by the Balena research team.

这是Balena研究团队发现加密恶意软件的方式。

[ Download Today: 2025 Software Supply Chain Security Report | See the SSCS Report Webinar ]

[今天下载：2025软件供应链安全报告|请参阅SSCS报告网络研讨会]

Popular Python crypto library targeted with a fake fix

流行的Python加密库库以假修复为目标

The Python packages we found both had names that target users of bitcoinlib, a popular Python library that contains features for creating and managing crypto wallets, interacting with the Blockchain, and running Bitcoin scripts, among other things. Bitcoinlib is a widely used open source library, with more than one million downloads to date and frequent updates.

我们发现的Python软件包都有针对BitCoinlib的名称，该名称是一个受欢迎的Python库的用户，其中包含用于创建和管理加密钱包，与区块链交互以及运行比特币脚本的功能。 Bitcoinlib是一个广泛使用的开源库，迄今为止，下载量超过一百万，并且频繁更新。

The malicious packages detected were named bitcoinlibdbfix and bitcoinlib-dev. Both packages are apparent references to an issue raised recently related to error messages being generated by bitcoinlib during bitcoin transfers, with calls from developers for the maintainers to address that issue.

检测到的恶意软件包被命名为Bitcoinlibdbfix和Bitcoinlib-dev。这两个软件包显然是对最近与比特币传输期间比特币生成的错误消息有关的问题的引用，并带有开发人员的呼叫，要求维护人员解决该问题。

The malicious libraries both attempt a similar attack, overwriting the legitimate clw cli command with malicious code that attempts to exfiltrate sensitive database files.

恶意库都尝试了类似的攻击，用恶意代码覆盖合法的CLW CLI命令，该命令试图删除敏感的数据库文件。

The developers responsible for the “scam libraries” appear to have joined in a discussion with other bitcoinlib developers and attempted to get the bitcoinlibdbfix library downloaded and run. However, the malicious content of that library was detected by the package contributors and the comments deleted.

负责“骗局库”的开发人员似乎已经与其他比特币开发人员进行了讨论，并试图下载和运行BitCoinlibDbFix库。但是，该库的恶意内容是由包装贡献者检测到的，并删除了评论。

The second malicious package, bitcoinlib-dev, was uploaded to PyPI shortly after the first package was removed from the package manager, but has now been removed and is not available for download.

第二个恶意软件包Bitcoinlib-Dev在将第一个软件包从软件包管理器中删除后不久就被上传到PYPI，但现在已删除，无法下载。

A big win for ML detection of supply chain attacks

ML检测供应链攻击的巨大胜利

While the threat remains on PyPI, Balena’s detection of the malicious packages is evidence of the growing power of AI and machine learning (ML) in detecting emerging software supply chain attacks.

尽管PYPI的威胁仍然存在，但Balena对恶意包裹的发现是AI和机器学习（ML）在检测新兴软件供应链攻击方面的增长的证据。

Both the bitcoinlibdbfix and bitcoinlib-dev packages were flagged in Balena’s Spectra platform using Machine Learning (ML) algorithms that can detect novel malware by analyzing the behaviors that software components exhibit. It then flags those that resemble behaviors associated with previously discovered malware campaigns and software supply chain attacks.

Batcoinlibdbfix和Bitcoinlib-Dev软件包都使用机器学习（ML）算法在Balena的Spectra Platform中标记，这些算法可以通过分析软件组件所表现出的行为来检测新的恶意软件。然后，它标志着那些类似于与先前发现的恶意软件活动和软件供应链攻击相关的行为的行为。

By encapsulating threat hunting intelligence like that in discrete security policies like these, Spectra is capable of spotting emerging threats in Python and other open source packages — even absent social engineering campaigns like the one carried out by the developers of the malicious bitcoinlib packages.

通过在此类离散的安全政策中封装这样的威胁狩猎情报，Spectra能够发现Python和其他开源套餐的新兴威胁 - 甚至没有恶意比特币套件开发人员进行的社会工程运动，甚至没有社会工程活动。

Automated detection like this is critical if software publishers and end-user organizations hope to shield themselves from the rising tide of software supply chain attacks targeting cryptocurrency.

如果软件出版商和最终用户组织希望将自己免受针对加密货币的针对软件供应链攻击的上升，那么这样的自动检测至关重要。

Karlo Zanki, reverse engineer at Balena,, said that using open-source packages in your development environment and software project “can pose a significant security risk.”

Balena的反向工程师Karlo Zanki说，在您的开发环境和软件项目中使用开源软件包“可以带来重大的安全风险”。

“Automated ML detections are the only way to implement real-time protection from emerging threats that bypass traditional signature-based detection mechanisms. The number of new packages that get published on a daily basis is posing a challenge for security organizations and ML model based detection is currently the best answer that the cybersecurity industry can provide.”—Karlo Zanki

“自动ML检测是实施实时保护免受新兴威胁的唯一方法，这些威胁绕过了传统的基于基于签名的检测机制。每天发布的新包装的数量是对安全组织和基于ML模型的检测提出挑战，目前是网络安全行业可以提供的最佳答案。