Python Crypto Library Updated to Steal Private Keys

Summary:
Yesterday, a malicious update to the PyPI package aiocpa was discovered, which includes code that exfiltrates private keys via Telegram. The attacker cleverly kept the GitHub repository clean to avoid detection while distributing the compromised package. This incident highlights the need for vigilance in reviewing open-source dependencies.
#OpenSourceSecurity #MaliciousCode #DependencyManagement

Keypoints:

Phylum’s platform detected malicious code in the aiocpa package on PyPI.

The malicious code steals private keys and sends them via Telegram.

The attacker maintained a clean GitHub repository to evade detection.

The package was first published in August 2024, with an update released on November 20, 2024.

The malicious payload is highly obfuscated and executed upon importing the package.

The incident emphasizes the importance of scanning actual code in open-source ecosystems.

It raises concerns about the security of packages with previously good reputations.

MITRE Techniques

Command and Control (T1071): Utilizes Telegram to exfiltrate private keys from compromised systems.

Obfuscated Files or Information (T1027): The malicious payload is heavily obfuscated to avoid detection.

IoC:

[Others] Telegram Bot Token: 7858967142:AAGeM6QvKdEUK9ZWD9XoVM_Zl1cmj_mlyJo

[Others] Telegram Chat ID: 6526761736

[File Hash] aiocpa_0.1.13.tar.gz: ad9f5183aa8d792ed1bc991ab3ac9b0cd4160fd9276071a7e63e7d7b4e3481b8

[File Hash] aiocpa-0.1.13-py3-none-any.whl: 6f435a3f209c09d8f7cf180f759a5faa2ff215edc1afce2cd62078574bb70c69

[File Hash] aiocpa_0.1.14.tar.gz: 556bfea997880f1365d3822d26ea57e2cfaecb231128ea1e7e50ad1f778147bb

[File Hash] aiocpa-0.1.14-py3-none-any.whl: c43148103e24a16d59896d6db395ed66a2cd5772ff308dfea10aa36b7f433589

Full Research: https://blog.phylum.io/python-crypto-library-updated-to-steal-private-keys/

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print