bt-burn-watchPyPI

Package advertises Bittensor subnet burn-rate monitoring but the compiled core module's own docstring describes itself as a 'clipboard logger + Bittensor subnet burn rate monitoring' tool. defaults.env ships a hardcoded Telegram bot token (8666228137:AAF_NLMrow4cDf3uEJCl3JY7DeBHtovd1TU) and chat id (8766781014) commented 'Bundled for all pip install users'. When the user runs the documented bittensor-burn-watch install CLI, the package installs persistence via Task Scheduler (Windows), systemd (Linux) or LaunchAgent (macOS), polls the OS clipboard, deduplicates each unique string via a local SQLite store, and POSTs every new clipboard entry to api.telegram.org under the author's bot. The compiled core exposes clipboard_already_sent, _claim_clipboard_text, _normalize_clipboard_text, _clipboard_fingerprint, plus a Win32-API clipboard reader whose own docstring boasts 'no window flash' (anti-detection), and on Linux silently apt/dnf/pacman-installs wl-clipboard/xclip without prompting. The package is shipped as Cython-compiled.so files only (no Python source) for a tool that does nothing more than call a public REST API and send Telegram messages — compilation here exists to hide the clipboard-capture surface from casual pip download && grep audits. Given the Bittensor user base, clipboard contents typically include TAO wallet seed phrases, private keys, and exchange API keys. defaults.env also bundles the author's own taostats API key for all installers to consume.

The package contains code to steal clipboard content to a predefined remote location. If run in the right way, the code will periodically check the clipboard and if the content matches the pattern, exfiltrates it. Early versions contain this behavior mentioned in the README. The targeted data are likely cryptocurrency secret phrases.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-clip-logger

Reasons (based on the campaign):

• clipboard-stealing

• crypto-related