A malicious Python Package Index (PyPI) package, dubbed “aiocpa” and engineered to steal cryptocurrency wallet data, has been uncovered by security researchers.
The package posed as a legitimate crypto client tool while secretly exfiltrating sensitive information to a Telegram bot. Reversing Labs researchers identified and reported the threat, leading to its removal from the PyPI.
Discovered on November 21, aiocpa evaded traditional security checks by publishing authentic-looking updates to an initially benign tool. Obfuscated code within the utils/sync.py file revealed a wrapper around the CryptoPay initialization function, designed to extract tokens and other sensitive data.
Further analysis showed that this code used layers of Base64 encoding and zlib compression to hide its malicious intent.
Unlike many attacks targeting open-source repositories, the creators of aiocpa avoided impersonation tactics. Instead, they built a user base by presenting the package as a legitimate tool.
“A first glance at the package’s project page didn’t show any reason for suspicion. It looked like a well-maintained crypto-pay API client package, with several versions published since September 2024. It also had a well-organized documentation page,” Reversing Labs explained.
The researchers also noted an attempt to take over an existing PyPI project, “pay,” to exploit its established user base.
Lessons for Developers
Reversing Labs further warned that the aiocpa incident highlights critical steps developers should take to secure their software:
-
Pin dependencies and versions to prevent unexpected updates
-
Use hash checks to verify package integrity
-
Perform advanced security assessments using behavioral analysis tools
Read more on software supply threats: CISA Urges Improvements in US Software Supply Chain Transparency
“This incident is a clear reminder that open-source software security threats are growing and becoming harder to detect,” Reversing Labs said.
The firm also stated that the measures employed by the threat actors to conceal their malicious creation made it difficult to identify the supply chain threat, even with diligent attempts to evaluate the quality and integrity of the package.
“With the ever-growing sophistication of threat actors and the complexity of modern software supply chains, dedicated tools need to be incorporated into your development process to help prevent these threats and mitigate related risks.”