November 25, 2024 at 10:00AM
The Python Package Index (PyPI) has quarantined the malicious “aiocpa” package, which was updated to exfiltrate private keys via Telegram. Originally released in September 2024 and downloaded 12,100 times, the malicious code was hidden in an obfuscated script. This incident underscores the need for thorough source code scanning.
**Meeting Takeaways: Software Supply Chain Attack on PyPI Package “aiocpa”**
1. **Package Quarantine:** The PyPI repository has quarantined the package “aiocpa” due to the inclusion of malicious code in a recent update aimed at exfiltrating private keys via Telegram.
2. **Package Details:**
– Description: A Crypto Pay API client that supports both synchronous and asynchronous operations.
– Initial Release: September 2024.
– Download Count: Approximately 12,100 downloads to date.
3. **Malicious Update:**
– The malicious activity was first identified in version 0.1.13, where a specific change was made to the “sync.py” script.
– This update included an obfuscated code blob designed to run after package installation, capturing the victim’s API token and sending it to a Telegram bot.
– The code’s complexity: It is recursively encoded and compressed 50 times.
4. **Attribution Uncertainty:** It is currently unclear whether the original developer was responsible for the malicious update or if their credentials were compromised by another actor.
5. **Preventive Measures:**
– The incident underscores the importance of scanning package source code before installation, rather than solely relying on the cleanliness of the associated repositories.
– It highlights that past safety records of packages do not ensure ongoing security.
6. **Context of Attack:** The malicious package targeted users of Crypto Pay, a payment system that facilitates transactions using cryptocurrency through an API.
This incident serves as a vital reminder of the potential vulnerabilities in software supply chains and the necessity for vigilance in package management practices.