A recently discovered malicious Python package on the Python Package Index (PyPI) named βdisgrasyaβ has been found to contain a fully automated carding script targeting WooCommerce stores.
Unlike typical supply chain attacks that attempt to deceive users, βdisgrasyaβ made no attempt to appear legitimate. As the Socket research team notes, βit was openly malicious, abusing PyPl as a distribution channel to reach a wider audience of fraudstersβ. The malicious script specifically targets WooCommerce stores using the CyberSource payment gateway.
Carding attacks involve fraudsters testing stolen credit card numbers to determine their validity. Attackers acquire card data from various sources, including dark web marketplaces, Telegram channels, and leaked databases. Automated carding tools, like βdisgrasya,β are used to simulate real transactions and verify which stolen cards are still active. Valid cards are then considered more valuable in the black market.
Carding attacks pose a significant threat to online businesses. Juniper Research estimates that online payment fraud, including carding, will cost businesses over $362 billion globally between 2023 and 2028. These attacks are difficult to detect because they mimic legitimate customer behavior.
The βdisgrasyaβ package is particularly alarming due to its widespread use. It was downloaded more than 34,860 times. The malicious payload was introduced in version 7.36.9 and persisted in subsequent versions.
The term βdisgrasyaβ is Filipino slang for βdisasterβ or βaccident,β which aptly describes the packageβs functionality. The script automates a series of steps to mimic a legitimate shopperβs transaction, allowing attackers to test stolen credit cards against real checkout systems without triggering fraud detection.
Hereβs a breakdown of the attack logic:
Extract Product ID: The script extracts a product ID from the target WooCommerce storeβs product listing page.Add Product to Cart: The script adds a product to the cart via an AJAX request, simulating a legitimate shopperβs action.Extract Checkout Tokens: The script retrieves the CSRF nonce (βwoocommerce-process-checkout-nonceβ) and CyberSource βcapture_contextβ from the checkout pageβs HTML.Simulate Checkout and Exfiltrate Data: The script submits a final POST request to the WooCommerce AJAX checkout endpoint with randomized billing details and stolen card data. The script exfiltrates stolen credit card data (card number, expiration date, and CVV) along with the βcapture_contextβ to an external server controlled by the attacker.The βdisgrasyaβ package is dangerous because its actions are designed to be indistinguishable from legitimate user behavior. As the report states, βEvery action it performs is indistinguishable from what a normal user might doβ.
The report emphasizes that this threat targets online merchants, particularly those using WooCommerce with CyberSource. To mitigate the risk, merchants are advised to:
Enable fraud protection rules.Monitor for suspicious patterns.Adjust fraud protection rules dynamically.Enable CAPTCHA or bot protection.Implement rate limiting.While the βdisgrasyaβ package has been removed from PyPI, the underlying techniques remain a threat. The report concludes that βvigilant monitoring and layered defenses at the checkout level are key to preventing fraud and minimizing exposureβ.