Article Details
Scrape Timestamp (UTC): 2024-11-25 13:55:11.728
Source: https://thehackernews.com/2024/11/pypi-python-library-aiocpa-found.html
Original Article Text
Click to Toggle View
PyPI Python Library "aiocpa" Found Exfiltrating Crypto Keys via Telegram Bot. The administrators of the Python Package Index (PyPI) repository have quarantined the package "aiocpa" following a new update that included malicious code to exfiltrate private keys via Telegram. The package in question is described as a synchronous and asynchronous Crypto Pay API client. The package, originally released in September 2024, has been downloaded 12,100 times to date. By putting the Python library in quarantine, it prevents further installation by clients and cannot be modified by its maintainers. Cybersecurity outfit Phylum, which shared details of the software supply chain attack last week, said the author of the package published the malicious update to PyPI, while keeping the library's GitHub repository clean in an attempt to evade detection. It's currently not clear if the original developer was behind the rogue update or if their credentials were compromised by a different threat actor. Signs of malicious activity were first spotted in version 0.1.13 of the library, which included a change to the Python script "sync.py" that's designed to decode and run an obfuscated blob of code immediately after the package is installed. "This particular blob is recursively encoded and compressed 50 times," Phylum said, adding it's used to capture and transmit the victim's Crypto Pay API token using a Telegram bot. It's worth noting that Crypto Pay is advertised as a payment system based on Crypto Bot (@CryptoBot) that allows users to accept payments in crypto and transfer coins to users using the API. The incident is significant, not least because it highlights the importance of scanning the package's source code prior to downloading them, as opposed to just checking their associated repositories. "As evidenced here, attackers can deliberately maintain clean source repos while distributing malicious packages to the ecosystems," the company said, adding the attack "serves as a reminder that a package's previous safety record doesn't guarantee its continued security."
Daily Brief Summary
A malicious update to the Python library "aiocpa" was added to PyPI, designed to exfiltrate private crypto keys using a Telegram bot.
Although the package was originally released in September 2024, signs of malicious activity surfaced in version 0.1.13.
This version altered the "sync.py" script to decode and execute a highly obfuscated code after installation.
The malicious code specifically captures the victim's Crypto Pay API token and transmits it using a Telegram bot.
PyPI has placed the "aiocpa" package in quarantine to prevent further downloads and modifications.
The discrepancy between the library’s GitHub repo, which remains clean, and the infected PyPI package indicates a possible attempt to evade detection.
It remains uncertain whether the original developer updated the package with malicious intent or if their credentials were stolen.
Cybersecurity experts highlight the necessity of verifying package source codes before installation, as attackers may exploit trust in previously secure packages.