The administrators of the Python Package Index (PyPI) repository have quarantined the package "aiocpa" following a new update that included malicious code to exfiltrate private keys via Telegram.
The package in question is described as a synchronous and asynchronous Crypto Pay API client. The package, originally released in September 2024, has been downloaded 12,100 times to date.
By putting the Python library in quarantine, it prevents further installation by clients and cannot be modified by its maintainers.
Cybersecurity outfit Phylum, which shared details of the software supply chain attack last week, said the author of the package published the malicious update to PyPI, while keeping the library's GitHub repository clean in an attempt to evade detection.
It's currently not clear if the original developer was behind the rogue update or if their credentials were compromised by a different threat actor.
Signs of malicious activity were first spotted in version 0.1.13 of the library, which included a change to the Python script "sync.py" that's designed to decode and run an obfuscated blob of code immediately after the package is installed.
"This particular blob is recursively encoded and compressed 50 times," Phylum said, adding it's used to capture and transmit the victim's Crypto Pay API token using a Telegram bot.
It's worth noting that Crypto Pay is advertised as a payment system based on Crypto Bot (@CryptoBot) that allows users to accept payments in crypto and transfer coins to users using the API.
The incident is significant, not least because it highlights the importance of scanning the package's source code prior to downloading them, as opposed to just checking their associated repositories.
"As evidenced here, attackers can deliberately maintain clean source repos while distributing malicious packages to the ecosystems," the company said, adding the attack "serves as a reminder that a package's previous safety record doesn't guarantee its continued security."
Update
PyPI administrators and cybersecurity firm ReversingLabs have also published their own analyses of the campaign, in addition to highlighting the malware author's unsuccessful attempts to transfer ownership of what they claimed was an abandoned package. The package aiocpa has since been formally removed from the PyPI repository.
"Unlike the majority of the attacks targeting open source repositories like npm and PyPI, the malicious actors behind aiocpa were not impersonating or typosquatting legitimate looking packages," ReversingLabs researcher Karlo Zanki said.
"Instead, they published their own crypto client tool in order to steadily attract a user base that would later be compromised through a malicious version update."