Carding tool abusing WooCommerce API downloaded 34K times on PyPI

April 6, 2025

Card

A newly discovered malicious PyPi package named 'disgrasya' that abuses legitimate WooCommerce stores for validating stolen credit cards has been downloaded over 34,000 times from the open-source package platform.

The script specifically targeted WooCommerce stores using the CyberSource payment gateway to validate cards, which is a key step for carding actors who need to evaluate thousands of stolen cards from dark web dumps and leaked databases to determine their value and potential exploitation.

Although the package has been removed from PyPI, its high download counts show the sheer volume of abuse for these types of malicious operations.

"Unlike typical supply chain attacks that rely on deception or typosquatting, disgrasya made no attempt to appear legitimate," explains a report by Socket researchers.

"It was openly malicious, abusing PyPI as a distribution channel to reach a wider audience of fraudsters."

Of particular interest is the brazen abuse of PyPi to host a package that the creators clearly stated in the description was used for malicious activity.

"A utility for checking credit cards through multiple gateways using multi-threading and proxies," read the disgrasya package description.

Socket notes that the malicious functionality on the package was introduced in version 7.36.9, likely an attempt to evade detection by security checks that might be stricter for initial submissions compared to subsequent updates.

Emulating shoppers to validate cards

The malicious package contains a Python script that visits legitimate WooCommerce sites, collects product IDs, and then adds items to the cart by invoking the store's backend.

Next, it navigates to the site's checkout page from where it steals the CSRF token and a capture context, which is a code snippet CyberSource users to process card data securely.

Socket says these two are normally hidden on the page and expire quickly, but the script grabs them instantly while populating the checkout form with made-up customer info.

In the next step, instead of sending the stolen card directly to the payment gateway, it sends it to a server controlled by the attacker (railgunmisaka.com), which pretends to be CyberSource and gives back a fake token for the card.

**POST request sending the card data outside***Source: Socket*

Finally, the order with the tokenized card is submitted on the webshop, and if it goes through, it verifies that the card is valid. If it fails, it logs the error and tries the next card.

**Printed transaction results***Source: Socket*

Using a tool like this, the threat actors are able to perform the validation of a large volume of stolen credit cards in an automated manner.

These verified cards can then be abused to conduct financial fraud or sold on cybercrime marketplaces.

How to block the carding attacks

Socket comments that this end-to-end checkout emulation process is particularly hard for fraud detection systems to detect on the targeted websites.

"This entire workflow—from harvesting product IDs and checkout tokens, to sending stolen card data to a malicious third party, and simulating a full checkout flow—is highly targeted and methodical," says Socket.

"It is designed to blend into normal traffic patterns, making detection incredibly difficult for traditional fraud detection systems."

Still, Socket says there are methods to mitigate the problem, like blocking very low-value orders under $5, which are typically used in carding attacks, monitoring for multiple small orders that have unusually high failure rates, or high checkout volumes linked to a single IP address or region.

Socket also suggests adding CAPTCHA steps on the checkout flow that may interrupt the operation of carding scripts, as well as applying rate limiting on checkout and payment endpoints.