Bitcoinlib under fire: How PyPI typosquatting put crypto wallets at risk

In early April 2025, security researchers raised alarms about a malicious attack targeting Bitcoinlib users. Hackers didn’t attack the Bitcoinlib library itself

output: A recent report by ReversingLabs has shed light on a concerning attack targeting Bitcoinlib, a popular Python library used for interacting with Bitcoin.

output: A recent report by ReversingLabs has shed light on a concerning attack targeting Bitcoinlib, a popular Python library used for interacting with Bitcoin.

Instead of directly hacking the library itself, hackers uploaded fake versions of Bitcoinlib to PyPI (Python Package Index), the platform from which developers download libraries. This ploy tricked developers into installing the malicious packages, granting hackers access to their crypto wallets.

The 2024 Software Supply Chain Security Report, produced by ReversingLabs, delves into the increasing sophistication of software supply chain attacks, particularly focused on cryptocurrency applications. Throughout the year, researchers identified 23 malicious campaigns targeting crypto infrastructure, largely via open-source repositories like npm and PyPI.

These attacks spanned both basic typosquatting — where packages closely resemble legitimate ones in spelling to deceive developers — and more advanced tactics. Some attackers created packages that initially appeared benign but were later updated with malicious code, such as the “aiocpa” package or the assault on Solana’s web3.js library.

Moreover, attackers grew bolder in targeting prominent libraries, demonstrating a shift from opportunistic to targeted attacks. Among the victims were Node.js modules used by major decentralized exchanges (DEXs) and a package designed for smart contracts on the Hedera blockchain.

Cryptocurrency, in the words of ReversingLabs, serves as a “canary in the coal mine,” highlighting the strong financial incentives that draw attackers to the space. The crypto industry, in essence, provides a testing ground for emerging threat types that could later be applied to other sectors.

As organizations move away from trust-based assumptions, particularly when dealing with third-party or closed-source binaries, they will need to adjust their approach to security accordingly.output: In early April, security researchers sounded the alarm on a focused attack targeting users of Bitcoinlib, a popular Python library used by developers to interact with Bitcoin.

As organizations move away from trust-based assumptions, particularly when dealing with third-party or closed-source binaries, they will need to adjust their approach to security accordingly.output: In early April, security researchers sounded the alarm on a focused attack targeting users of Bitcoinlib, a popular Python library used by developers to interact with Bitcoin.

However, hackers didn’t attack the Bitcoinlib library itself. Instead, they uploaded fake versions of the library to PyPI (Python Package Index), the platform where developers download Python libraries.

The ploy worked, and developers ended up installing the malicious packages, granting the hackers access to their crypto wallets.

Now, ReversingLabs’ 2024 Software Supply Chain Security Report has taken a closer look at this hack and the broader trends in software supply chain security.

The report, titled “The Evolving Threat Landscape,” documents a year of tracking and analysis of software supply chain threats, focusing on emerging attack types, preferred attack vectors, and the attackers’ shifting targets.

The report found that software supply chain attacks grew more sophisticated in 2024, with particular intensity around cryptocurrency applications. Throughout the year, researchers identified 23 malicious campaigns targeting crypto infrastructure, the majority (14) focused on open-source repositories like npm and PyPI.

These spanned both basic typosquatting — where packages closely resemble legitimate ones in spelling to deceive developers — and more advanced tactics. Some attackers created packages that initially appeared benign but were later updated with malicious code, such as the “aiocpa” package or the assault on Solana’s web3.js library.

Moreover, attackers grew bolder in targeting prominent libraries, demonstrating a shift from opportunistic to targeted attacks. Among the victims were Node.js modules used by major decentralized exchanges (DEXs) and a package designed for smart contracts on the Hedera blockchain.

Cryptocurrency, in the words of ReversingLabs, serves as a “canary in the coal mine,” highlighting the strong financial incentives that draw attackers to the space. The crypto industry, in essence, provides a testing ground for emerging threat types that could later be applied to other sectors.

As organizations move away from trust-based assumptions, particularly when dealing with third-party or closed-source binaries, they will need to adjust their approach to security accordingly.