The administrators of the Python Package Index (PyPI) repository have quarantined the aiocpa package after identifying malicious code designed to exfiltrate private keys via Telegram. This move prevents further installations and modifications by its maintainers.
Description and Impact
The aiocpa package, described as a synchronous and asynchronous Crypto Pay API client, was originally released in September 2024 and has been downloaded 12,100 times. Its quarantine aims to protect users from the embedded malicious code.
Cybersecurity Investigation
Cybersecurity firm Phylum, which revealed the supply chain attack, noted that the package’s author uploaded the malicious update to PyPI while keeping the GitHub repository clean to avoid detection. The origin of the rogue update is unclear, leaving questions about whether the original developer’s credentials were compromised.
Signs of Malicious Activity
The malicious activity was first detected in version 0.1.13, where a change to the “sync.py” script enabled the decoding and execution of an obfuscated code blob immediately upon installation. This blob, encoded and compressed 50 times, was designed to capture and transmit the victim’s Crypto Pay API token using a Telegram bot.
Crypto Pay and Security Implications
Crypto Pay, promoted as a payment system based on Crypto Bot, facilitates crypto payments and coin transfers using an API. This incident underscores the critical need to scan source code before downloading packages, as clean source repositories can still distribute malicious packages.
Recommendations
Phylum’s analysis serves as a stark reminder that a package’s historical safety record doesn’t guarantee ongoing security. Developers are urged to verify the authenticity of libraries, review source code, and use security tools to mitigate risks.
Conclusion
This incident highlights the ongoing challenges in securing open-source software repositories. Vigilance and proactive measures are essential for maintaining the integrity and security of development environments.
