Cybercriminals Used PyPI to Distribute WooCommerce Carding Tool – 34,000 Installs

A malicious Python package named “disgrasya” has been discovered on Python Package Index (PyPI), used as a tool for credit card fraud. This package exploited the WooCommerce API to automate stolen card verification and reached over 34,000 downloads, highlighting a serious and widespread threat in the e-commerce space.

🚨 What Happened?

A package called “disgrasya” was openly distributed via PyPI, promoting itself as a card-checking tool using multi-threading and proxy support. Unlike traditional malicious packages that try to remain hidden, this one brazenly stated its purpose—to test the validity of stolen credit cards.

It specifically targeted online stores built on WooCommerce, particularly those using the CyberSource payment gateway. By mimicking legitimate purchases, the tool could stealthily verify which stolen cards were still active and usable—turning real stores into silent testing platforms for fraud.

🎯 How Does It Work?

The tool simulated a real customer’s shopping process, avoiding detection by fraud prevention systems:

1. Product Selection – It accessed product pages on target sites and extracted a valid product ID.
2. Cart Injection – The script added items to the cart using backend API calls.
3. Token Harvesting – It captured required security tokens (such as CSRF nonces and CyberSource context tokens) needed to proceed with checkout.
4. Fake Payment Processing – Instead of submitting stolen card details to a real processor, it redirected them to a fake server controlled by the attacker, which returned a forged token.
5. Transaction Validation – The tool submitted the token back to the store to simulate a real payment. If accepted, the card was marked as valid and ready for fraud; if rejected, it moved on to the next one.

By replicating legitimate checkout behavior, the script was nearly impossible to distinguish from a real customer, making detection extremely difficult.

📉 Why It’s Dangerous

With over 34,000 downloads, this tool likely enabled widespread carding operations. Its automation and ability to mimic real user actions made it ideal for testing thousands of stolen card numbers in a short period. Many online stores may have been unknowingly involved in these validation attempts.

🛡️ How to Stay Protected

For Developers

• Vet third-party packages carefully before adding them to your projects.
• Avoid obscure packages with vague or suspicious descriptions.
• Use automated tools that analyze code for malicious behavior before deployment.

For E-Commerce Site Owners

• Implement anti-fraud filters to detect and block suspicious checkout patterns (e.g., low-value test orders, repeated failures).
• Add CAPTCHA and rate limiting to payment forms to slow down automated tools.
• Monitor checkout endpoints for abnormal spikes in activity or unusual transaction sources.
• Consider full-stack security plugins that block automated attacks and fake payment attempts.

This incident is a wake-up call: malicious tools are hiding in plain sight, and public code repositories can easily be exploited to distribute them. By combining awareness, strict code hygiene, and robust fraud defenses, both developers and store owners can better protect their platforms and users.