Yesterday, Phylum's automated risk detection platform discovered that the PyPI package aiocpa was updated to include malicious code that steals privat

Python Crypto Library Updated to Steal Private Keys

submited by
Style Pass
2024-11-23 04:00:02

Yesterday, Phylum's automated risk detection platform discovered that the PyPI package aiocpa was updated to include malicious code that steals private keys by exfiltrating them through Telegram when users initialize the crypto library. While the attacker published this malicious update to PyPI, they deliberately kept the package's GitHub repository clean of the malicious code to evade detection.

And to its credit, this does appear to be true…or at least it was true until version 0.1.13 was released. This package was first published in August of 2024 and has received seemingly appropriate updates, as one would expect, since then. However, yesterday (20 November 2024), the author published an update with the following diff to the file cryptopay/utils/sync.py:

A highly obfuscated blob is inserted at the top level of the utils.sync module in a crypto library? You only need one guess where this is going. Before we deobfuscate to see precisely what it’s doing, let’s first take a look at how and when this blob is executed. Since this is at the top level of this module, we only need to find where it’s imported. It turns out the package's top-level __init__.py does exactly that:

Leave a Comment