VERY IMPORTANT

A new campaign has been discovered that uses malicious PyPI packages posing as open-source libraries to steal BIP39 mnemonic phrases used for cryptocurrency wallet recovery. The campaign, called BIPClip, uses seven PyPI packages with 19 versions dating back to December 2022. The goal is to steal mnemonic phrases for deterministic Bitcoin wallets. This shows cryptocurrency continues to be a major target for supply chain attackers. The campaign uses malicious dependencies and name squatting to avoid detection. Developers need to be vigilant about supply chain threats in open source repositories.