bittensor-wallet package stole private keys
A registry-only malicious release of bittensor-wallet 4.0.2 was uploaded to PyPI and later yanked. The backdoor was compiled into the Rust wallet code so wallet decryption paths exposed coldkey and hotkey material directly to the payload.
Story
On March 15, 2026, an attacker pushed a malicious release of bittensor-wallet to PyPI that planted a backdoor inside the very code path that decrypts a Bittensor user's private keys. The compromised version, 4.0.2, sat on the registry for roughly 48 hours before maintainers at OpenTensor yanked it.
bittensor-wallet is the Rust-backed Python wallet library for Bittensor, a decentralized machine-learning network whose stake and transfer operations are signed with coldkey and hotkey files held locally by each user. The package's job is to decrypt those files on demand.
Socket's automated scanners first flagged the release, and StepSecurity published a detailed teardown. According to StepSecurity, the attacker modified src/keyfile.rs at three call sites in the Rust wallet code, placing the hook directly inside the decryption routine rather than in an obvious sidecar script. The release workflow at .github/workflows/release.yml was also altered to strip build provenance attestation. Whenever a wallet key was decrypted, the implant tagged the key type, encrypted the plaintext private material with the attacker's hardcoded NaCl public key, and shipped it out through three independent channels: HTTPS POSTs to finney.opentensor-metrics.com, finney.metagraph-stats.com, and finney.subtensor-telemetry.com; a domain-generation algorithm rotating daily under *.opentensor-cdn.com; and DNS tunneling that split payloads into 60-character hex chunks. A background thread named cache-gc retried the exfiltration with two-to-ten-minute jitter, and the malware skipped machines that had been up for less than 20 minutes or showed signs of debugging or security tooling.
Opentensor yanked 4.0.2 around 12:06 UTC on March 17 and reverted users to 4.0.1. StepSecurity warned that any keyfile decrypted while 4.0.2 was installed should be treated as exposed, because the backdoor sat at the exact moment private keys briefly exist in plaintext.
Affected Artifacts
- Observed
- 2026-03-15 to 2026-03-17
- Compromised Versions
- Fixed
- 4.0.1
- Hashes
-
- sha256:6a416b72ff24804abc12484a3b41413a8580acedd8a5f8c84224fcf0732c2f8e
- Evidence
- distribution: pypi.org/project/bittensor-wallet/4.0.2, file: src/keyfile.rs, domain: finney.opentensor-metrics.com, domain: finney.metagraph-stats.com , +3 more
Incident Context
- Motive
- Credential Theft
- Cause
- Compromised Account Credentials
- Transitive
- Yes
External References
- bittensor-wallet 4.0.2 compromised on PyPIstepsecurity.io
- Package compromisedgithub.com
- Socket diff for bittensor-wallet 4.0.1 to 4.0.2socket.dev
Source record: oss/attacks/bittensor-wallet/meta.yaml