JFrog researchers have uncovered a new supply chain attack targeting cryptocurrency users through a malicious Python package uploaded to the PyPI repository. The package, named “ccxt-mexc-futures,” masqueraded as a legitimate tool for interacting with the MEXC cryptocurrency exchange but was designed to steal users’ crypto assets.
According to JFrog, the package contained an “info-stealer” malware that harvested environment variables, hijacked cryptocurrency transactions, and exfiltrated sensitive data to an attacker-controlled server.
Specifically, it targeted users trading on MEXC by modifying withdrawal requests, rerouting tokens to wallets controlled by the threat actor.
A Stealthy Operator
The malware operated stealthily, making its malicious code harder to detect by obfuscating parts of its logic and mimicking the behavior of genuine crypto-trading tools. After gathering user credentials and API keys from environment variables, it silently monitored and intercepted trade commands, particularly focusing on withdrawal operations.
What is most alarming about this attack is how tailored it is. Rather than going for bulk exploitation, the malefactor took the trouble to specifically attack users who were active on the the MEXC, increasing their chances of stealing large sums of money.
This level of targeting suggests cybercriminals’ tactics might be shifting—moving from general attacks to highly focused supply chain threats.
JFrog noted that although the package was quickly removed from PyPI after discovery, the incident highlights ongoing risks associated with open-source repositories. Developers often trust that packages hosted on platforms like PyPI are safe, but attackers continue to exploit this trust to distribute malware.
The Supply Chain Concern
The wider cybersecurity community is becoming more and more concerned with vulnerabilities in the supply chain, and particularly within open-source ecosystems where authentication can be sporadic. JFrog advises companies and developers to adopt stringent security practices, such as validating packages before use, limiting exposure to API keys, and aggressively scanning software supply chains for consistency.
The package was quickly removed from PyPI after discovery. Security researchers recommend revoking any compromised API keys and removing the malicious package immediately.
This incident is yet another reminder that with the convenience of open-source software is an inevitable tradeoff with security—it has inherent risks. Vigilance, continuous monitoring, and proactive threat detection are must-have tools for any developer or entity that depends on third-party packages.
Early Detection is Key
“This incident underscores just how critical early detection is in safeguarding API-driven workflows,” says Mayur Upadhyaya, CEO at APIContext. “When a malicious package reroutes API calls, as we saw here with the ccxt-mexc-futures package, it often leaves behind subtle but detectable traces. Synthetic monitoring is your canary in the coal mine. By continuously simulating expected API behaviors, organizations can detect anomalies in CNAME records, DNS resolution, origin headers, and SSL certificates. These are early indicators that traffic is being diverted or tampered with.
Upadhyaya adds that a synthetic check that mimics real-world usage, such as placing a trade via the API and validating its end-to-end behavior, would likely have flagged this malicious redirection quickly. “This kind of proactive observability is increasingly essential as the software supply chain becomes more complex and vulnerable to tampering.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.