Full Report
The administrators of the Python Package Index (PyPI) repository have quarantined the package "aiocpa" following a new update that included malicious code to exfiltrate private keys via Telegram. The package in question is described as a synchronous and asynchronous Crypto Pay API client. The package, originally released in September 2024, has been downloaded 12,100 times to date. By putting the
Analysis Summary
# Main Topic
Supply Chain Attack via Compromised Python Package: Exfiltration of Crypto Keys from the "aiocpa" PyPI library.
## Key Points
- The Python package "aiocpa," a synchronous and asynchronous Crypto Pay API client, was quarantined by PyPI administrators due to a malicious update.
- The malicious update enabled the exfiltration of private keys using a Telegram bot.
- The package was originally released in September 2024 and had accumulated 12,100 downloads.
- The malicious update was introduced in version **0.1.13** through a change in the "sync.py" script.
- The malicious code was heavily obfuscated (recursively encoded and compressed 50 times) to evade detection.
- A key finding is that the attacker maintained a clean GitHub repository while distributing the malicious version via the PyPI ecosystem, highlighting the risk of decoupled source code and distribution artifacts.
## Threat Actors
- **Attribution:** Not explicitly determined; it is unclear if the original developer was compromised or authored the rogue update.
- **Motivation:** Financial theft, targeting sensitive Crypto Pay API tokens.
## TTPs
- **Initial Compromise Vector:** Software Supply Chain attack through the PyPI repository.
- **Execution:** Malicious code executes immediately after installation, triggered by changes in the `sync.py` file.
- **Evasion:** Heavy obfuscation (50 times recursive encoding/compression) of the payload.
- **Data Exfiltration:** Sensitive data (Crypto Pay API token) is transmitted using a **Telegram bot**.
## Affected Systems
- **Platform:** Python Package Index (PyPI).
- **Affected Software:** The package `aiocpa` in version `0.1.13` and later updates, until quarantine.
- **Victims:** Any system that installed versions of `aiocpa` after the malicious update, exposing their Crypto Pay API credentials.
## Mitigations
- **Immediate Action:** PyPI administrators quarantined the package, preventing further installation. Users should check installations and remove the package immediately if previously installed.
- **Source Validation:** Emphasized the critical need to scan package contents *before* downloading/installing, rather than relying solely on the cleanliness of the associated source code repository (e.g., GitHub).
- **Dependency Scanning:** Utilize security tools to scan dependencies for embedded obfuscated or suspicious post-installation logic.
## Conclusion
This incident represents a significant software supply chain compromise where a legitimate-looking artifact distributed via PyPI contained highly obfuscated, high-impact malware designed to steal cryptographic payment tokens via Telegram. The primary risk mitigation, identified by researchers, involves decoupling trust from source code repositories alone and rigorously inspecting package distributions.