Crypto Bot-based payment system Crypto Pay had its aiocpa library on the Python Package Index repository maliciously updated to facilitate private key theft through Telegram as part of a new software supply chain intrusion, The Hacker News reports.
Initial compromise of the package — a synchronous and asynchronous Crypto API client that has since been omitted from PyPI — was evident with "sync.py" script modifications in aiocpa version 0.1.13 that facilitated the execution of a blob code subjected to multiple encoding and compression that ultimately allowed Telegram bot-based exfiltration of Crypto Pay API tokens, according to a report from Phylum, which has not yet conclusively pinned the package compromise to a specific actor. "As evidenced here, attackers can deliberately maintain clean source repos while distributing malicious packages to the ecosystems," said Phylum, which called on developers to conduct PyPI package source code scanning prior to downloading packages to prevent potential compromise.
