A technical breakdown of the compromised bittensor-wallet 4.0.2 PyPI package, which was live for ~48 hours before being yanked. The backdoor, written in Rust and compiled into the native extension, hooks into every keyfile decryption path to steal private keys. It uses three independent exfiltration channels: HTTPS to hardcoded lookalike domains, daily-rotating DGA domains, and DNS tunneling as a fallback. Anti-analysis checks (uptime, debugger detection, process scanning) prevent execution in sandboxes. All strings are XOR-obfuscated, the background thread is named 'cache-gc' to blend in, and build provenance attestation was stripped from the release. The post includes full IOCs, live C2 traffic captured via StepSecurity Harden Runner, and remediation steps including key rotation and hash-pinned dependencies.
Table of contents
The Affected PackageHarden Runner Catches the Backdoor in ActionHow the Attack WorksIOCs (Indicators of Compromise)What Made This Hard to DetectRemediationAcknowledgementReferencesSort: