--- title: "JuiceLedger, From Low-Key Phishing Campaigns to a Sophisticated Supply Chain Attack | Phish Protection" description: "Open-source software libraries become frequent targets of attackers, who view them as an attractive path to distributing malware and stealing credentials." image: "https://phishprotection.com/og/blog/juiceledger-low-key-phishing-campaigns-sophisticated-supply-chain-attack.png" canonical: "https://phishprotection.com/blog/juiceledger-low-key-phishing-campaigns-sophisticated-supply-chain-attack/" --- Quick Answer \*\*Open-source software libraries\*\* become frequent targets of attackers, who view them as an attractive path to distributing \[malware\](/content/protection-against-malware/what-is-malware) and stealing credentials. In August 2022, the threat actor JuiceLedger targeted \[PyPI\](https://en.wikipedia.org/wiki/Python\_Package\_Index) contributors with a Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fjuiceledger-low-key-phishing-campaigns-sophisticated-supply-chain-attack%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=JuiceLedger%2C%20From%20Low-Key%20Phishing%20Campaigns%20to%20a%20Sophisticated%20Supply%20Chain%20Attack&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fjuiceledger-low-key-phishing-campaigns-sophisticated-supply-chain-attack%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fjuiceledger-low-key-phishing-campaigns-sophisticated-supply-chain-attack%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fjuiceledger-low-key-phishing-campaigns-sophisticated-supply-chain-attack%2F&title=JuiceLedger%2C%20From%20Low-Key%20Phishing%20Campaigns%20to%20a%20Sophisticated%20Supply%20Chain%20Attack "Share on Reddit") [ ](mailto:?subject=JuiceLedger%2C%20From%20Low-Key%20Phishing%20Campaigns%20to%20a%20Sophisticated%20Supply%20Chain%20Attack&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fjuiceledger-low-key-phishing-campaigns-sophisticated-supply-chain-attack%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2022/09/phishing-prevention-2033.jpg) **Open-source software libraries** become frequent targets of attackers, who view them as an attractive path to distributing [malware](/content/protection-against-malware/what-is-malware) and stealing credentials. In August 2022, the threat actor JuiceLedger targeted [PyPI](https://en.wikipedia.org/wiki/Python%5FPackage%5FIndex) contributors with a phishing campaign and successfully compromised various legitimate packages. Read on to know more. In early 2022, JuiceLedger ran relatively low-key campaigns that spread fraudulent **Python installer** applications with a .NET application, ‘JuiceStealer,’ designed to steal sensitive data from users’ browsers. In August 2022, the threat actor altered its technique and started [poisoning open-source](https://news.cornell.edu/stories/2021/08/hackers-can-poison-open-source-code-internet) packages to target a **wider audience** with the information stealer through a supply chain attack. Thus, there was a significant rise in the threat level posed by this group. The JuiceLedger operators actively targeted PyPi package contributors through the latest phishing campaign, **poisoning** at least two legitimate packages with malware. Furthermore, several hundred more [malicious packages](https://www.infosecurity-magazine.com/news/hundreds-malicious-packages-npm/) are suspected to be **typo squatted**. ### Evolution of the JuiceStealer Malware ![Phishing prevention](https://media.mailhop.org/phishprotection/images/2022/09/phishing-prevention-2033.jpg) [Virustotal](https://todaypennsylvania.com/actors-behind-pypi-supply-chain-attack-active-since-late-2021/124385/)discovered JuiceStealer in February when someone (probably a threat actor) submitted a Python program with the capability to **install the malware** secretly. The threat actors have developed JuiceStealer using the .Net programming framework and searches for **saved passwords** in Google Chrome. After carefully examining the code, the researchers linked the JuiceStealer malware to activity that started in 2021 and has been evolving since then. They established a possible connection to Nowblox, a malicious site that offers free online in-game currency [Roblox](https://www.engadget.com/roblox-launches-its-first-generative-ai-game-creation-tools-192043349.html?guccounter=1&guce%5Freferrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce%5Freferrer%5Fsig=AQAAAGYlO1OSilR1vtAdVJiIi8sh%5Fpxp9P0D84Xf2PljEgs5fMZnBXemIyksXqthx2E%5F3cis%5FsZA7THOiurmU2RUvKtf3U-kfhDVCWFtAvrheQC86QiUVpyKSkdEf8SfUJ-2CxTSJJENz3y%5FmkRFi3-6vW1h3jIjnfK7wZxz8OJzzIkz). Researchers said that over time, the threat actor, which they referred to as JuiceLedger, started using **crypto-themed scam apps**, like the Tesla Trading bot. These apps came in zip files , accompanied by additional legitimate software. JuiceLedger used a more **complex attack chain** for executing the attack on PyPI in August. These include typo-squatting, malicious packages, and [phishing emails](/content/protection-from-phishing/how-to-stop-phishing-emails) to PyPI developers to inject JuiceStealer malware into downstream users’ systems. The researchers at[SentinelLabs](https://www.sentinelone.com/labs/pypi-phishing-campaign-juiceledger-threat-actor-pivots-from-fake-apps-to-supply-chain-attacks/)suspect that Juiceledger utilized the vector in **parallel to the earlier infection** method as similar payloads got delivered through fake cryptocurrency ledger websites. ### The Modus Operandi > “Zero-day phishing URLs have an average lifespan of just 12 hours before they’re added to blocklists. During that window, traditional signature-based filters are blind. Our real-time behavioral analysis catches these threats by pattern, not by signature - which is how we detect attacks that no database has seen yet.” - **Adam Lundrigan**, CTO, DuoCircle The threat actor’s modus operandi involves sending PyPI users a phishing email informing them that Google is implementing the **latest validation** process for publishing packages on PyPI. The email claims the measure was Google’s response to a rise in malicious PyPI packages uploaded to the registry. It warned developers to validate their [code packages](https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=space-adding-code-packages-deployment) with Google expeditiously and avoid their removal from the registry. _Furthermore, the phishing email noted, “Packages not validated before September 2022 will get removed promptly.”_ PyPI users clicking on the link got redirected to a **malicious webpage**, [spoofed](https://www.infosecurity-magazine.com/news/amazon-spoofed-in-new-attack/) to look like PyPI’s login page. When users entered their credentials, the page sent the information to a JuiceLedger-controlled domain, linkedopports\[dot\]com. The threat actor convinced at least two developers to share their credentials, giving JuiceLedger a **pathway to access** and poison their widely used PyPI packages with malicious code. ### The Extent of the Damage One of the packages (version 0.1.6 of “Exotel”) had over 480,000 downloads when it got infected. The other malicious package (versions 2.0.2 and 4.0.2 of “spam”) had 200,000 downloads. The PyPI administrators **removed** **both packages** after discovering them, according to[Checkmarx.](https://www.sentinelone.com/labs/pypi-phishing-campaign-juiceledger-threat-actor-pivots-from-fake-apps-to-supply-chain-attacks/) The malicious code installed in a [development environment](https://umbraco.com/knowledge-base/development-environment/) queries **Chrome SQLite files**, searches for Google Chrome passwords, and launches a Python installer included in the zip “config.exe.” Furthermore, the **information stealer** searches for logs containing the word “vault” (probably searching for cryptocurrency vaults) and reports back to an attacker’s command and control server over **HTTP**. \*\* \*\* ### PyPI’s Response ![Phishing prevention tips](https://media.mailhop.org/phishprotection/images/2022/09/phishing-prevention-tips-6078.jpg) PyPI stated that they were **actively reviewing** reports of the infected packages and several taken-down typosquats. Furthermore, they have urged Package maintainers to **confirm the URL** [http://pypi\[.\]org](http://pypi%5B.%5Dorg) in the address bar when entering credentials and use [2FA authorization](https://authy.com/what-is-2fa/) on their accounts when available. _Users can check the site’s TLS certificate is issued to pypi.org._ Additionally, they have requested maintainers who believe they are victims of the JuiceLedger attack to **reset passwords** and report any suspicious activity to [security@pypi.org](mailto:security@pypi.org).[Checkmarx](https://checkmarx.com/blog/first-known-phishing-attack-against-pypi-users/)recommends checking the network traffic against the below-listed IOCs and encourages contributors to use 2FA. hxxps://python-release\[.\]com hxxps://python-release\[.\]com/python-install.scr hxxps://linkedopports\[.\]com hxxps://linkedopports\[.\]com/pyp/resp.php?live=Installation hxxps://ledgdown\[.\]com hxxps://ledgdown\[.\]com/LedgerSetup.zip LedgerSetup.scr - 8e97c6883e7af5cc1f88ac03197d62298906ac4a35a789d94cc9fde45ee7ea13 python-install.scr - 60434af3ebe924efabc96558e6c8d8176bf4eb06dd6cc47b4c491da9964be874 ### How To Mitigate Such Supply Chain Attacks? If you are a **package maintainer**, we strongly encourage you to apply the platform’s recommendations to prevent or mitigate attacks on your account. As a developer, you must define a **strict vendor policy** and ensure no silent running updates, a common sight with [package managers](https://www.debian.org/doc/manuals/aptitude/pr01s02.en.html). You must follow the **latest vulnerabilities** discovered in your dependencies by periodically checking the [GitHub advisory database](https://docs.github.com/en/code-security/security-advisories/global-security-advisories/about-the-github-advisory-database). Some tools available in the market automatically submit **pull requests** on your repository and update the dependency where a critical vulnerability was identified recently. A robust tool for Python users: To defend against various [typo-squatting attacks](https://www.csoonline.com/article/3600594/what-is-typosquatting-a-simple-but-effective-attack-technique.html) like Juiceledger, use **a lock file**. A good lock file will have the following attributes: - **_Version pins:_**they will make your builds deterministic and predictable. - **_Hashes:_**They are a robust way to verify the integrity of your package. - **_Full dependency graph:_**It allows you to control your packages’ dependencies. ### Expert Views - [Amitai Ben, threat intelligence researcher, SentinelOne.](https://www.darkreading.com/application-security/researchers-identify-threat-actor-behind-recent-phishing-attack-targeting-pypi-users) Attackers exploit the fact that organizations and developers will always need to utilize open-source packages. A robust way to minimize exposure for developers contributing open source code to the public repositories is to enable 2FA (two-factor authentication) on their account in package managers. It will **reduce the risk** of account takeover by cybercriminals. Furthermore, users of open source packages **must know** that popular packages are connected to Git repositories from where the development process takes place. If they find discrepancies between the package on the package manager and the repository, they must treat it as a **sign of account takeover** and suspicious activity. - [Pypi Admins](https://www.bleepingcomputer.com/news/security/pypi-mandates-2fa-for-critical-projects-developer-pushes-back/) The significant step towards our broader efforts to **enhance the security** of the Python ecosystem and all PyPI users is ensuring the widely used projects have basic protections. To improve the general security posture of the Python ecosystem, PyPI is implementing a 2FA (two-factor authentication) requirement for critical projects. The condition will get implemented in the coming months. - [Researchers, SentinelLabs](https://www.sentinelone.com/labs/pypi-phishing-campaign-juiceledger-threat-actor-pivots-from-fake-apps-to-supply-chain-attacks/) JuiceLedger quickly evolved from an opportunistic infection a few months ago to a sophisticated [supply chain attack](https://www.bleepingcomputer.com/news/security/russian-government-sites-hacked-in-supply-chain-attack/) targeting a **major software distributor**. The increasingly sophisticated attack on PyPI members that included a targeted phishing campaign, the hijacking of trusted developer accounts, and numerous printed packages suggest that the cybercriminal had adequate time and resources at their disposal. ### Final Words PyPI is not the only code repository that [malicious actors](/phishing/malicious-actors-exploit-commenting-feature-in-google-docs-to-send-phishing-emails) have targeted recently. Security Analysts have reported numerous incidents involving other popular registries like npm and Maven Central. The growing attacks have heightened the attention on software supply chain **security**, especially due to the potential for nation-state-backed attackers (like the malicious Russian actor behind the[SolarWinds compromise](https://www.cybersecuritydive.com/news/microsoft-nobelium-breach-russia/608803/)) to exploit the same vulnerability in their attack campaigns. To mitigate the risk businesses **must implement** more advanced and adaptive security measures. This includes developing better solutions for [phishing protection](/), which must be based on a dynamic understanding of the evolving threat landscape . ## Topics [ Phishing Awareness ](/tags/phishing-awareness/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Foundational 5m 0ktapus, Okta Breach Helps Attackers Launch Sophisticated Supply Chain Attacks Sep 5, 2022 ](/blog/0ktapus-okta-breach-helps-attackers-launch-sophisticated-supply-chain-attacks/)[ Foundational 14m 12 Real-World Spear Phishing Examples And The Red Flags You Missed Feb 4, 2026 ](/blog/12-real-world-spear-phishing-examples-and-the-red-flags-you-missed/)[ Foundational 2m 8 million Android users fell prey to SpyLoan malware on Google Play Store Dec 5, 2024 ](/blog/8-million-android-users-fell-prey-to-spyloan-malware-on-google-play-store/)[ Foundational 1m A Big Part of the Phishing Problem is You Sep 17, 2019 ](/blog/a-big-part-of-the-phishing-problem-is-you/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"JuiceLedger, From Low-Key Phishing Campaigns to a Sophisticated Supply Chain Attack","description":"Open-source software libraries become frequent targets of attackers, who view them as an attractive path to distributing malware and stealing credentials.","url":"https://phishprotection.com/blog/juiceledger-low-key-phishing-campaigns-sophisticated-supply-chain-attack/","datePublished":"2022-09-20T05:55:09.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2022-09-20T05:55:09.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/juiceledger-low-key-phishing-campaigns-sophisticated-supply-chain-attack/"},"articleSection":"foundational","keywords":"Phishing Awareness","wordCount":1237,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2022/09/phishing-prevention-2033.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://phishprotection.com/foundational/"},{"@type":"ListItem","position":4,"name":"JuiceLedger, From Low-Key Phishing Campaigns to a Sophisticated Supply Chain Attack","item":"https://phishprotection.com/blog/juiceledger-low-key-phishing-campaigns-sophisticated-supply-chain-attack/"}]} ```