加密貨幣行業仍然是軟件供應鏈攻擊的主要目標

當涉及軟件供應鏈攻擊的頻率和復雜性時，很少有行業可以與加密貨幣行業進行比較。

When it comes to the frequency and sophistication of software supply chain attacks, few industries can compare with the cryptocurrency industry. As Balena’s 2025 Software Supply Chain Security Report notes: In 2024, there were close to two dozen sustained supply chain campaigns designed to compromise cryptocurrency applications, crypto owners’ wallets and trading platforms.

當涉及軟件供應鏈攻擊的頻率和復雜性時，很少有行業可以與加密貨幣行業進行比較。正如Balena的2025年軟件供應鏈安全報告所指出的那樣：2024年，旨在損害加密貨幣應用程序，加密貨幣所有者的錢包和交易平台的近二打持續的供應鏈活動。

In 2025, there is no change in that trend line. A string of malicious software supply chain campaigns have targeted developers working on crypto-related applications. The latest popped onto the Balena research team’s radar last week when automated machine learning (ML) detection features in Balena’s Spectra platform identified two malicious Python packages posted to the Python Package Index (PyPI) containing code designed to exfiltrate sensitive database files.

在2025年，這種趨勢線沒有變化。一系列惡意軟件供應鏈活動已針對從事加密相關應用程序的開發人員。上週，當Balena Spectra Platform中的自動化機器學習（ML）檢測功能上，最新的彈出了Balena研究團隊的雷達，確定了兩個惡意的Python軟件包發佈到Python軟件包索引（PYPI），其中包含旨在刪除敏感數據庫文件的代碼。

Here’s how the crypto malware was discovered by the Balena research team.

這是Balena研究團隊發現加密惡意軟件的方式。

[ Download Today: 2025 Software Supply Chain Security Report | See the SSCS Report Webinar ]

[今天下載：2025軟件供應鏈安全報告|請參閱SSCS報告網絡研討會]

Popular Python crypto library targeted with a fake fix

流行的Python加密庫庫以假修復為目標

The Python packages we found both had names that target users of bitcoinlib, a popular Python library that contains features for creating and managing crypto wallets, interacting with the Blockchain, and running Bitcoin scripts, among other things. Bitcoinlib is a widely used open source library, with more than one million downloads to date and frequent updates.

我們發現的Python軟件包都有針對BitCoinlib的名稱，該名稱是一個受歡迎的Python庫的用戶，其中包含用於創建和管理加密錢包，與區塊鏈交互以及運行比特幣腳本的功能。 Bitcoinlib是一個廣泛使用的開源庫，迄今為止，下載量超過一百萬，並且頻繁更新。

The malicious packages detected were named bitcoinlibdbfix and bitcoinlib-dev. Both packages are apparent references to an issue raised recently related to error messages being generated by bitcoinlib during bitcoin transfers, with calls from developers for the maintainers to address that issue.

檢測到的惡意軟件包被命名為Bitcoinlibdbfix和Bitcoinlib-dev。這兩個軟件包顯然是對最近與比特幣傳輸期間比特幣生成的錯誤消息有關的問題的引用，並帶有開發人員的呼叫，要求維護人員解決該問題。

The malicious libraries both attempt a similar attack, overwriting the legitimate clw cli command with malicious code that attempts to exfiltrate sensitive database files.

惡意庫都嘗試了類似的攻擊，用惡意代碼覆蓋合法的CLW CLI命令，該命令試圖刪除敏感的數據庫文件。

The developers responsible for the “scam libraries” appear to have joined in a discussion with other bitcoinlib developers and attempted to get the bitcoinlibdbfix library downloaded and run. However, the malicious content of that library was detected by the package contributors and the comments deleted.

負責“騙局庫”的開發人員似乎已經與其他比特幣開發人員進行了討論，並試圖下載和運行BitCoinlibDbFix庫。但是，該庫的惡意內容是由包裝貢獻者檢測到的，並刪除了評論。

The second malicious package, bitcoinlib-dev, was uploaded to PyPI shortly after the first package was removed from the package manager, but has now been removed and is not available for download.

第二個惡意軟件包Bitcoinlib-Dev在將第一個軟件包從軟件包管理器中刪除後不久就被上傳到PYPI，但現在已刪除，無法下載。

A big win for ML detection of supply chain attacks

ML檢測供應鏈攻擊的巨大勝利

While the threat remains on PyPI, Balena’s detection of the malicious packages is evidence of the growing power of AI and machine learning (ML) in detecting emerging software supply chain attacks.

儘管PYPI的威脅仍然存在，但Balena對惡意包裹的發現是AI和機器學習（ML）在檢測新興軟件供應鏈攻擊方面的增長的證據。

Both the bitcoinlibdbfix and bitcoinlib-dev packages were flagged in Balena’s Spectra platform using Machine Learning (ML) algorithms that can detect novel malware by analyzing the behaviors that software components exhibit. It then flags those that resemble behaviors associated with previously discovered malware campaigns and software supply chain attacks.

Batcoinlibdbfix和Bitcoinlib-Dev軟件包都使用機器學習（ML）算法在Balena的Spectra Platform中標記，這些算法可以通過分析軟件組件所表現出的行為來檢測新的惡意軟件。然後，它標誌著那些類似於與先前發現的惡意軟件活動和軟件供應鏈攻擊相關的行為的行為。

By encapsulating threat hunting intelligence like that in discrete security policies like these, Spectra is capable of spotting emerging threats in Python and other open source packages — even absent social engineering campaigns like the one carried out by the developers of the malicious bitcoinlib packages.

通過在此類離散的安全政策中封裝這樣的威脅狩獵情報，Spectra能夠發現Python和其他開源套餐的新興威脅 - 甚至沒有惡意比特幣套件開發人員進行的社會工程運動，甚至沒有社會工程活動。

Automated detection like this is critical if software publishers and end-user organizations hope to shield themselves from the rising tide of software supply chain attacks targeting cryptocurrency.

如果軟件出版商和最終用戶組織希望將自己免受針對加密貨幣的針對軟件供應鏈攻擊的上升，那麼這樣的自動檢測至關重要。

Karlo Zanki, reverse engineer at Balena,, said that using open-source packages in your development environment and software project “can pose a significant security risk.”

Balena的反向工程師Karlo Zanki說，在您的開發環境和軟件項目中使用開源軟件包“可以帶來重大的安全風險”。

“Automated ML detections are the only way to implement real-time protection from emerging threats that bypass traditional signature-based detection mechanisms. The number of new packages that get published on a daily basis is posing a challenge for security organizations and ML model based detection is currently the best answer that the cybersecurity industry can provide.”—Karlo Zanki

“自動ML檢測是實施實時保護免受新興威脅的唯一方法，這些威脅繞過了傳統的基於基於簽名的檢測機制。每天發布的新包裝的數量是對安全組織和基於ML模型的檢測提出挑戰，目前是網絡安全行業可以提供的最佳答案。