FlagThis

A malicious Python package, "aiocpa," disguised as a legitimate cryptocurrency client, has been discovered on the Python Package Index (PyPI). The package, downloaded 12,100 times since its September 2024 release, contained obfuscated code designed to steal sensitive information. This code, located within the "utils/sync.py" file, exfiltrated cryptocurrency trading tokens to a Telegram bot, highlighting a significant vulnerability in the software supply chain. Researchers at ReversingLabs initially detected the malicious activity using machine learning-based threat hunting, revealing the sophisticated nature of the attack.

The malicious code within aiocpa was heavily obfuscated, using multiple layers of Base64 encoding and zlib compression. After deobfuscation, researchers determined that it acted as a simple wrapper around the CryptoPay initialization function, sending stolen data directly to a Telegram bot. This highlights the need for developers to thoroughly scrutinize packages before integrating them into projects, as even seemingly legitimate packages can harbor malicious intent. The PyPI security team responded swiftly, quarantining and subsequently removing the aiocpa package.

This incident serves as a stark reminder of the risks associated with malicious packages in open-source repositories. The attackers behind aiocpa employed a unique strategy, publishing a legitimate-appearing cryptocurrency client to build a user base before introducing the malicious code in a later update. This approach underscores the importance of robust security practices, including thorough code review, dependency management, and the utilization of machine learning-based threat hunting tools to identify and mitigate these increasingly sophisticated supply chain attacks. The incident highlights the need for greater vigilance and proactive security measures throughout the entire software development lifecycle.

ImgSrc: www.reversinglabs.com

References:

• blog.pypi.org - PyPI's security team's report on the 'aiocpa' incident. - 27d
• The Hacker News - TheHackerNews reports on the discovery of the malicious PyPI package aiocpa. - 27d
• ReversingLabs Blog - ReversingLabs' blog post detailing the discovery and analysis of the malicious aiocpa package. - 27d
• Malware Analysis, News and Indicators - Malware.news thread discussing the malicious PyPI package aiocpa. - 27d
• Flag this - FlagThis reports on the malicious PyPI package ‘aiocpa’ that steals cryptocurrency wallet data. - 26d
• Flag this - Article about the malicious PyPI package. - 26d
• Cyber Security News - This article details the malicious PyPI packages that were used to spread Infostealer malware, focusing on the unique aspects of the attack. - 23d
• GBHackers Security - This article warns users about malicious PyPI packages that inject Infostealer malware, discussing how attackers built a user base and then compromised wallets. - 23d

Classification:

• HashTags: PyPI SupplyChain InfoStealer
• Company: PyPI
• Target: Cryptocurrency users
• Product: aiocpa
• Feature: crypto client
• Type: Malware
• Severity: Medium