Massive Credit Card Fraud Operation Discovered via Malicious PyPI Package ‘disgrasya’

By /

Listen to this Post

:

A malicious Python package uploaded to the official PyPI repository has shocked the cybersecurity community with its blatant functionality and audacity. The package, named ‘disgrasya’, was openly built for credit card fraud operations, using legitimate e-commerce platforms—specifically WooCommerce stores with CyberSource integration—as unsuspecting validators for stolen credit card data. Before being taken down, this package was downloaded over 34,000 times, highlighting the scale and ease with which cybercriminals can exploit the open-source ecosystem.

the Attack in 30 Lines:

  • A malicious PyPI package named ‘disgrasya’ was discovered by researchers at Socket.
  • It was downloaded more than 34,000 times before removal.
  • The package’s purpose was shockingly overt: validating stolen credit cards.
  • It abused WooCommerce stores integrated with CyberSource to carry out this validation.
  • These validations are key for cybercriminals involved in “carding” operations, where they test and sort stolen credit card data from data breaches and dark web dumps.
  • Unlike most supply chain attacks, disgrasya did not mask its intent or attempt to appear legitimate.
  • The package description itself revealed its malicious use:
    “A utility for checking credit cards through multiple gateways using multi-threading and proxies.”
  • The malicious code was introduced in version 7.36.9, likely to bypass early security scans.
  • The script targets WooCommerce product listings, grabs product IDs, and simulates a real shopping session.
  • It navigates to the checkout page and stealthily scrapes sensitive session data like CSRF tokens and CyberSource context scripts.
  • These pieces are vital for securely processing payment data.
  • The stolen card details are sent to railgunmisaka.com, a fake CyberSource server controlled by attackers.
  • This server then returns a fake authorization token to trick the WooCommerce store into processing the payment.
  • If the transaction is successful, the card is marked as valid; otherwise, the system logs the failure and moves to the next card.
  • This process allows carders to automate the verification of thousands of cards with minimal effort.
  • Once verified, these cards can be used for fraudulent purchases or sold on black markets.
  • Socket notes the difficulty of detecting this attack, as the simulated transactions resemble real customer behavior.
  • Traditional fraud systems may miss it due to how realistic the traffic pattern is.

– Suggested mitigations include:

  • Blocking transactions under $5, which are often used in carding.
  • Monitoring for high checkout failure rates from specific IPs or regions.

– Adding CAPTCHAs to checkout pages.

– Applying rate limiting to checkout APIs.

  • This event underscores the massive risks posed by unchecked packages on public repositories.
  • It also raises concern about how open-source ecosystems can be weaponized by cybercriminals.
  • The campaign reflects a broader shift in automated, scalable attacks that use legitimate infrastructure for fraud.
  • The total impact remains unknown, but 34,000 downloads suggest widespread distribution.
  • The malicious server domain (railgunmisaka.com) should now be blacklisted by payment security teams.
  • WooCommerce and CyberSource integrations should be re-reviewed for suspicious access patterns.
  • This case also reopens the discussion on PyPI’s security policies and review process.
  • Unlike typographical deception (typosquatting), this attack was openly hostile and confident.
  • It proves that blatant cybercrime can thrive when security review pipelines are weak or reactive.
  • Developers are urged to vet dependencies and avoid installing packages with vague or suspicious names.
  • Security teams should implement dynamic runtime checks alongside static dependency scans.
  • With open-source playing such a central role in development, software supply chain security has never been more critical.

What Undercode Say:

This breach is not just a cautionary tale—it’s a live example of how easily attackers can co-opt open platforms and trusted ecosystems for high-volume fraud. From a security architecture standpoint, this case reveals glaring weaknesses at multiple levels, including PyPI’s moderation, WooCommerce’s checkout protections, and CyberSource’s token handling.

1.

  • The open nature of PyPI is its greatest strength and weakness.
  • A malicious package was able to live publicly with an overtly criminal purpose.
  • The use of versioning to sneak malicious functionality (in 7.36.9) indicates awareness of basic moderation tactics.
  • This reflects the need for automated behavior analysis, not just name or code review.

2. Abuse of WooCommerce Infrastructure:

  • Cybercriminals cleverly selected a popular and often self-hosted platform.
  • Many WooCommerce sites run with minimal cybersecurity posture, making them ideal for abuse.
  • Emulating real checkout flows bypasses many traditional fraud detection signals.

3. Carding at Scale:

  • The fact that the package included multi-threading and proxy support signals industrial-level abuse.
  • This isn’t a hobbyist tool—it’s designed for maximum throughput.
  • 34,000 downloads may reflect hundreds of carders or even integration into larger fraud-as-a-service kits.

4. CyberSource Spoofing:

  • One of the cleverest parts of the attack is the fake CyberSource server.
  • This not only bypasses payment verification but keeps the stolen card data under the attacker’s control.
  • It’s a man-in-the-middle scenario using the legitimate frontend as an unwitting proxy.

5. Detection Complexity:

  • The flow mimics natural shopping behavior: browsing, carting, checkout.
  • This design ensures that anomaly detection systems, especially those based on thresholds or customer behavior, miss the red flags.
  • Only deep behavioral models or aggressive bot filtering would detect this kind of abuse.

6. Economic Incentive:

  • Each verified card has monetary value—usually between $5 and $100+ on underground markets.
  • Multiply that by thousands, and a single successful user of this package could net six figures in stolen value.

7. Need for Developer Vigilance:

  • Developers should treat package installation like dependency injection—not a passive process.
  • Read descriptions, check maintainers, and inspect code for unknown packages, especially those that touch network functions.

8. Security Takeaway:

  • Real-time threat intelligence and tighter moderation policies are required.
  • PyPI and similar platforms must treat themselves as critical infrastructure—not just community-driven directories.
  • Until then, attackers will continue to exploit the cracks between convenience and caution.

Fact Checker Results:

  • The package disgrasya did exist and was publicly downloadable with a clear criminal purpose.
  • The 34,000+ downloads are verified by Socket’s telemetry before removal.
  • The technique of carding via e-commerce checkout emulation is consistent with known cybercrime operations.

References:

Reported By: https://www.bleepingcomputer.com/news/security/carding-tool-abusing-woocommerce-api-downloaded-34k-times-on-pypi/
Extra Source Hub:
https://www.reddit.com/r/AskReddit
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: