bittensor-burnPyPI

The package markets itself as a Bittensor burn-rate monitor but ships a compiled native module (bittensor_burn_watch/core.cpython-*.so) that reads the installer's system clipboard on Linux (wl-paste/xclip), macOS, and Windows (Win32 API with a PowerShell fallback) and forwards every unique clipboard string to a hardcoded Telegram chat. The Telegram bot token and chat ID are bundled in bittensor_burn_watch/defaults.env (TELEGRAM_BOT_TOKEN=8666228137:..., TELEGRAM_CHAT_ID=8766781014, labelled 'admin Telegram' / 'clipboard alerts'), so the destination is fixed by the author rather than configured by the installer — even though the README instructs users to configure their own bot. The compiled module contains explicit stealth engineering: comments such as 'Read clipboard via Win32 API; PowerShell fallback if needed (no window flash)' and 'never mix X11 clients into a Wayland session (xclip flashes the taskbar)' show deliberate effort to avoid user-visible indicators. Persistence is established system-wide (Windows Task Scheduler logon entry plus 15-minute watchdog, a systemd user service on Linux, and a LaunchAgent KeepAlive on macOS), so the clipboard logger runs continuously after install. The Bittensor-themed package name targets crypto/AI users likely to paste wallet seed phrases, exchange API keys, and TAO addresses — high-value secrets for the operator of the receiving Telegram chat. A bundled Taostats API key (TAOSTATS_API_KEY=tao-e9b3d1d9-...) is a secondary concern (quota abuse against api.taostats.io) but is not the primary harm.

The package contains code to steal clipboard content to a predefined remote location. If run in the right way, the code will periodically check the clipboard and if the content matches the pattern, exfiltrates it. The targeted data are likely cryptocurrency secret seed phrases.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-clip-logger

Reasons (based on the campaign):

• clipboard-stealing

• crypto-related