Python Package PyPI Panic: Malicious Code Turns Crypto Pay into Crypto Prey
The aiocpa package on PyPI has been quarantined after sneaky code updates were found exfiltrating private keys via Telegram. A clean GitHub repo couldn’t hide the malicious package’s antics. Remember folks, trust but verify—especially when your private keys are involved!
Hot Take:
Who knew that a Python package could double as a wannabe spy agent? Looks like ‘aiocpa’ is taking the concept of “going viral” a tad too literally by sneaking your private keys to Telegram. Maybe next time it could just stick to what it knows best – being a Crypto Pay API client, and leave espionage to the professionals in trench coats!
Key Points:
- The “aiocpa” Python package has been quarantined due to malicious code aiming to steal private keys via Telegram.
- Originally released in September 2024, the package saw over 12,100 downloads before getting the boot.
- Cybersecurity firm Phylum revealed the attack strategy involved keeping the GitHub repository clean while tainting the PyPI update.
- The suspect code was found in version 0.1.13, using a heavily obfuscated blob to exfiltrate data.
- This incident underscores the need for thorough code inspections beyond just the GitHub repository when dealing with open-source packages.
Already a member? Log in here