The Python Package Index (PyPI) maintainers have quarantined the "aiocpa" library after discovering its latest update contained malicious code designed to steal private keys through a Telegram bot.

Package Details

"aiocpa" is recognized as a synchronous and asynchronous Crypto Pay API client, with its initial release in September 2024 and over 12,000 downloads so far.

Quarantine Action

Placing the package in quarantine effectively halts any further installations and prevents modifications by its creators.

Discovery

Cybersecurity firm Phylum reported the threat last week, revealing that the PyPI version was compromised with malicious code, while the GitHub repository remained clean.

Malicious Code Introduction

The trouble was traced to version 0.1.13 of the library, where modifications were found in the "sync.py" script. This script was altered to decode and execute a covert code segment upon installation.

Code Obfuscation

According to Phylum, the malicious code was encoded and compressed multiple times to obscure its purpose, intended to capture the user's Crypto Pay API token and send it via a Telegram bot.

Attack Implications

This security breach underlines the critical need to thoroughly inspect a package's source code before downloading. The incident demonstrates that attackers can deceive users by keeping public repositories free from suspicious code while distributing harmful versions through other channels. Cryptocurrency users leveraging the Crypto Pay system, which facilitates transactions via the Crypto Bot, are particularly affected as the malicious package aimed to exploit and gain unauthorized access to their API tokens.

Lessons and Precautions Phylum emphasized that the attack is an example that a package's previous track record does not assure its future security. Developers must heighten vigilance when adopting third-party libraries and consistently perform comprehensive audits of all components in the software supply chain. For those interested in staying updated on the latest cybersecurity developments, follow us on Twitter and LinkedIn.

The link has been copied!