The administrators of the Python Package Index (PyPI) repository have quarantined the package “aiocpa” following a new update that included malicious code to exfiltrate private keys via Telegram.
The package in question is described as a synchronous and asynchronous Crypto Pay API client. The package, originally released in September 2024, has been downloaded 12,100 times to date.
By putting the Python library in quarantine, it prevents further installation by clients and cannot be modified by its maintainers.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Cybersecurity outfit Phylum, which shared details of the software supply chain attack last week, said the author of the package published the malicious update to PyPI, while keeping the library’s GitHub repository clean in an attempt to evade detection.
It’s currently not clear if the original developer was behind the rogue update or if their credentials were compromised by a different threat actor.
Signs of malicious activity were first spotted in version 0.1.13 of the library, which included a change to the Python script “sync.py” that’s designed to decode and run an obfuscated blob of code immediately after the package is installed.
“This particular blob is recursively encoded and compressed 50 times,” Phylum said, adding it’s used to capture and transmit the victim’s Crypto Pay API token using a Telegram bot.
It’s worth noting that Crypto Pay is advertised as a payment system based on Crypto Bot (@CryptoBot) that allows users to accept payments in crypto and transfer coins to users using the API.
The incident is significant, not least because it highlights the importance of scanning the package’s source code prior to downloading them, as opposed to just checking their associated repositories.
“As evidenced here, attackers can deliberately maintain clean source repos while distributing malicious packages to the ecosystems,” the company said, adding the attack “serves as a reminder that a package’s previous safety record doesn’t guarantee its continued security.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com