Malicious Python Carding Tool Exploits WooCommerce API, Downloads Surpass 34K.

A malicious carding tool disguised as a Python package on the official PyPI repository has alarmed the cybersecurity community after being downloaded over 34,000 times. The package, named “captcha-solver,” abuses the WooCommerce REST API to perform carding attacks, allowing cybercriminals to validate stolen credit card numbers through small-value transactions on WordPress-based online stores.

This operation exploits a key vulnerability in how online stores interact with payment systems. By automating fake purchases through the WooCommerce API, attackers can test stolen card details to check which ones are still active. Once validated, these credit card numbers are sold or used for further fraudulent purchases. The WooCommerce team describes this tactic as “card testing”, a practice where bots rapidly attempt transactions to determine valid cards. It not only results in chargebacks and financial loss for online merchants but can also trigger merchant account suspension due to repeated fraud.

Cybersecurity researcher David Pereira exposed this threat via LinkedIn, Instagram, and X (formerly Twitter), revealing how the malicious package was intentionally built for carding purposes. He demonstrated how it uses WooCommerce’s public API and even boasted a “captcha-solving” capability to appear useful to unsuspecting developers.

Despite its seemingly harmless name, the “captcha-solver” package includes scripts that automate the creation of fake users and payment transactions, effectively turning WooCommerce-based sites into tools for credit card verification. The Python Package Index (PyPI) has since removed the package, but the number of downloads before its takedown raises concerns about open-source package trust and the ease with which threat actors can infiltrate trusted developer ecosystems.

The WooCommerce documentation urges merchants to protect their stores by enabling reCAPTCHA, rate limiting, and payment gateway filters. These steps are critical to prevent carding bots from exploiting store APIs. Additionally, constant monitoring of payment logs, setting transaction limits, and using fraud detection plugins are strongly advised.

This incident serves as a stark reminder of the security risks in open-source ecosystems and the importance of vigilant dependency management. Developers should verify the authenticity of packages before use, while platform providers must enhance vetting processes to detect and prevent malicious uploads.

Card testing may be low-profile, but its impact is high-stakes — leaving both businesses and customers vulnerable.

More on Infosec and Business.

Follow

For a Newsletter

Subscribe 👉sign_in