Alert: Popular Python Library Caught Stealing Crypto Keys Through Hidden Telegram Backdoor

Alert: Popular Python Library Caught Stealing Crypto Keys Through Hidden Telegram Backdoor

PyPI Repository Blocks Malicious Python Package “aiocpa”

The Python Package Index (PyPI) has quarantined the “aiocpa” package after discovering malicious code in its latest update. The package, a Crypto Pay API client with 12,100 downloads since September 2024, was found attempting to steal private keys through Telegram.

Key Points:

– The malicious code was discovered by cybersecurity firm Phylum in version 0.1.13

– While the package’s GitHub repository remained clean, the PyPI version contained malicious updates

– The attack involved a heavily obfuscated code blob (encoded and compressed 50 times) in the “sync.py” script

– The malicious code targeted Crypto Pay API tokens, transmitting them via a Telegram bot

– The package has been quarantined, preventing further installations and modifications

Security Implications:

1. The incident demonstrates the importance of scanning package source code before installation

2. Clean GitHub repositories don’t guarantee safe packages

3. Previously safe packages can become compromised

4. The original developer’s involvement remains unclear (possible credential compromise)

This attack serves as a reminder for developers to maintain vigilant security practices when using third-party packages, regardless of their historical safety record.

Share This Article