PyPI Library ‘aiocpa’ Breach Exposed via Telegram
What Happened?
The Python library “aiocpa“, an async and sync client for the Crypto Pay API, has been quarantined by the Python Package Index (PyPI) after a recent update was found to contain malicious code. This measure prevents further downloads and stops the package maintainers from making changes.
You might be interested in: Telegram CEO Charged with Multiple Crimes
The package, first launched in September 2024, has been downloaded 12,100 times. It is widely used for managing cryptocurrency payments through the Crypto Pay API, which is linked to Crypto Bot (@CryptoBot), a payment system for sending and receiving cryptocurrency.
How the Malicious Code Was Detected
Cybersecurity experts from Phylum discovered signs of malicious activity in version 0.1.13 of the library. The update included changes to the sync.py
script, which decoded and ran an obfuscated piece of code immediately after installation.
Phylum reported that the malicious code was heavily disguised—it was encoded and compressed 50 times. Once installed, the code used a Telegram bot to steal and send the victim’s Crypto Pay API token, potentially giving the attacker access to sensitive data.
A Clever Cover-Up
Interestingly, the library’s GitHub repository showed no signs of tampering, which was likely an attempt to avoid detection. Instead, the malicious code was added only to the package uploaded to PyPI.
It’s still unclear whether this was done by the original developer or if someone else accessed their account to upload the harmful update.
Why This Is a Big Deal
This situation highlights the risks of relying solely on a package’s reputation or linked repositories when deciding to install it. Attackers can keep the public-facing source code clean while sneaking harmful code into the distributed package itself.
Phylum noted, “A package’s history of being safe doesn’t mean it will always be secure.”
Lessons Learned
The incident serves as a warning to:
- Always inspect the source code before installing packages.
- Be cautious even with libraries that have a good track record.
- Consider using tools or services that detect potential threats in software dependencies.
By staying vigilant and thoroughly reviewing packages, developers can avoid falling victim to supply chain attacks like this one.