A Malicious Python package index (PYPI) package, called “AIOCPA” and developed to steal Cryptocurrency portion data, was discovered by security researchers.
The package introduced itself as a legitimate tool for Crypto client, while the secretly sensitive information to a telegram bot is excited. Reverende Labs researchers identified and reported the threat, which led to the removal of the PYPI.
On November 21, AIOCPA discovers traditional security controls by publishing authentic -looking updates to an initially benign tool. Displaced code within the Utils/Sync.py file revealed a wrapper around the Cryptopay, initialization function, designed to extract tokens and other sensitive data.
Further analysis showed that this code layers of BASE64 coding and ZLIB compression used to hide the malignant intention.
Unlike many attacks on open-source repositories, the makers of Aiocpa avoid imitation tactics. Instead, they built a user base by presenting the package as a legitimate tool.
“A first glance at the project page of the package showed no reason for suspicion. It looked like a well-maintained crypto-pay API client package, with various versions that have been published since September 2024. It also had a well-organized documentation page,” explained Omseerlabs.
The researchers also noticed an attempt to take over an existing PYPI project, ‘pay’, to use the established user base.
Lessons for developers
Reversing laboratories also warned that the AIOCPA incident emphasizes critical steps that developers should take to protect their software:
-
Pin -depends on and versions to prevent unexpected updates
-
Use Hash checks to verify the integrity of the package
-
Perform advanced security assessments using behavioral analysis tools
Read more about threats of software provision: CISA insists on improvements in the transparency of the American Software Supply Chain
“This incident is a clear memory that the threats of software security species open source grow and become more difficult to detect,” said Reversing Labs.
The company also stated that the measures used by the threat actors to hide their malignant creation made it difficult to identify the supply chain threat, even with diligent attempts to evaluate the quality and integrity of the package.
“With the ever -growing refinement of threat actors and the complexity of modern software feed chains, special tools must be included in your development process to prevent these threats and reduce related risks.”