Cybersecurity researchers have recently uncovered a malicious package uploaded to the Python Package Index (PyPI) repository, designed to intercept trading orders on the MEXC cryptocurrency exchange, redirect them to a fraudulent server, and exfiltrate sensitive user credentials.
The package, named `ccxt-mexc-futures`, masquerades as an extension of the widely-used Python library `ccxt` (CryptoCurrency eXchange Trading), which facilitates connections and trading operations across various cryptocurrency exchanges. This deceptive package has been downloaded at least 1,065 times before its removal from PyPI.
Deceptive Functionality and Malicious Modifications
Upon closer examination, the `ccxt-mexc-futures` package was found to override specific API functions associated with the MEXC exchange:
– `contract_private_post_order_submit`
– `contract_private_post_order_cancel`
– `spot4_private_post_order_place`
These alterations enable the package to intercept and manipulate trading orders. Additionally, the package modifies core functions of the original `ccxt` library, such as `describe`, `sign`, and `prepare_request_headers`. These changes allow the execution of arbitrary code on the host machine, facilitating the retrieval of a JSON payload from a counterfeit domain (`v3.mexc.workers[.]dev`). This payload redirects API requests to a malicious server (`greentreeone[.]com`) instead of the legitimate MEXC endpoint.
Implications for Developers and Users
By redirecting API requests to an attacker-controlled server, the malicious package can:
– Hijack cryptocurrency tokens
– Steal sensitive information, including API keys and secrets
This breach poses significant risks to both developers integrating the package and end-users executing trading operations on the MEXC platform.
Recommendations for Affected Users
Users who have installed the `ccxt-mexc-futures` package should take immediate action:
1. Revoke any potentially compromised API tokens.
2. Uninstall the malicious package from their systems.
Broader Context: Supply Chain Attacks in Open-Source Ecosystems
This incident underscores a growing trend of supply chain attacks targeting open-source repositories. Threat actors exploit the trust within these ecosystems to distribute malicious packages that can compromise developer environments and end-user systems.
Recent Examples of Malicious Packages in PyPI
Several instances highlight the increasing sophistication of such attacks:
– Crypto-Stealing Malware in PyPI Packages: In October 2024, researchers discovered malicious Python packages designed to steal private keys and mnemonic phrases from cryptocurrency wallets. These packages posed as legitimate tools for data decoding and management, targeting users of popular wallets like Atomic, Exodus, Metamask, Ronin, TronLink, and Trust Wallet. ([securityweek.com](https://www.securityweek.com/cryptocurrency-wallets-targeted-via-python-packages-uploaded-to-pypi/?utm_source=openai))
– Malicious Packages Hijacking Developer Devices for Cryptomining: In March 2025, six malicious packages were identified on PyPI that hijacked developer devices to mine cryptocurrency. These packages, uploaded by the same user, were downloaded nearly 5,000 times before detection. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-hijack-dev-devices-to-mine-cryptocurrency/?utm_source=openai))
– Malware Targeting Ethereum Private Keys via PyPI: In March 2025, a malicious package named `set-utils` was found on PyPI, designed to steal Ethereum private keys by impersonating popular libraries. The package intercepted private keys during wallet creation and exfiltrated them via blockchain transactions, making detection challenging. ([hacking.reviews](https://www.hacking.reviews/2025/03/this-malicious-pypi-package-stole.html?utm_source=openai))
Mitigation Strategies for Developers
To safeguard against such threats, developers are advised to:
– Verify Package Authenticity: Scrutinize the credibility of packages and their maintainers before integration.
– Monitor Dependencies: Regularly review and update dependencies to ensure they are free from vulnerabilities.
– Implement Security Tools: Utilize tools that can detect and alert on suspicious package behavior.
– Educate Teams: Raise awareness about supply chain attacks and promote best practices for secure coding.
Conclusion
The discovery of the `ccxt-mexc-futures` package serves as a stark reminder of the vulnerabilities inherent in open-source ecosystems. As attackers continue to refine their methods, it is imperative for developers and organizations to adopt proactive security measures to protect their systems and users from such insidious threats.
