A newly uncovered malicious Python package on PyPi, named ‘disgrasya’, has raised serious concerns after it was discovered exploiting WooCommerce-powered e-commerce sites to validate stolen credit card information. Before its removal, the package had been downloaded more than 34,000 times, signaling significant abuse within the developer ecosystem.

The tool specifically targeted WooCommerce sites using the CyberSource payment gateway, enabling threat actors to mass-test stolen credit card data obtained from dark web sources and data breaches. This process, known as carding, helps cybercriminals determine which cards are active and usable.

While PyPi has since removed the package, its high download count reveals the widespread exploitation of open-source platforms for illicit operations.

"Unlike typical supply chain attacks that rely on deception or typosquatting, disgrasya made no attempt to appear legitimate," explains a report by Socket researchers.

"It was openly malicious, abusing PyPI as a distribution channel to reach a wider audience of fraudsters."

What sets ‘disgrasya’ apart is the transparency of its malicious intent. Unlike other deceptive packages that mask their true purpose, this one openly advertised its illicit capabilities in the description:

"A utility for checking credit cards through multiple gateways using multi-threading and proxies."

According to Socket, version 7.36.9 of the package introduced the core malicious features, likely bypassing stricter checks typically applied to initial versions.

The malicious script mimics legitimate shopping behavior by accessing real WooCommerce stores, identifying product IDs, and adding items to the cart. It then proceeds to the checkout page, where it harvests the CSRF token and CyberSource’s capture context—sensitive data used to securely process card payments.

Socket explains that these tokens are typically short-lived and hidden, but the script captures them instantly while populating the form with fake customer details.

Instead of sending the card details directly to CyberSource, the data is routed to a malicious server (railgunmisaka.com) that impersonates the legitimate payment gateway. The server returns a fake token, which the script uses to complete the checkout process on the real store. If the transaction is successful, the card is validated; otherwise, it moves on to the next.

"This entire workflow—from harvesting product IDs and checkout tokens, to sending stolen card data to a malicious third party, and simulating a full checkout flow—is highly targeted and methodical," says Socket.

"It is designed to blend into normal traffic patterns, making detection incredibly difficult for traditional fraud detection systems."

This fully automated workflow makes it easier for attackers to validate thousands of cards at scale—cards which can then be used for financial fraud or sold on underground marketplaces.

Socket also warns that traditional fraud detection systems are ill-equipped to catch these types of attacks due to their highly realistic emulation of customer behavior.

Despite the sophistication of the operation, Socket researchers suggest some measures to reduce vulnerability: