Malicious PyPI Package Downloaded 12,000 Times Stole Private Keys

Administrators of the Python Package Index (PyPI) quarantined and then removed the aiocpa package, which had been installed over 12,000 times. After a recent update, the package contained malicious code designed to steal private keys.

The aiocpa package was described as a synchronous and asynchronous client for the Crypto Pay API. It was originally released in September 2024 and had been downloaded 12,100 times before its removal.

According to analysts at Phylum, who discovered this supply chain attack, the package author published the malicious update only on PyPI, while the library’s repository on GitHub remained clean.

It is currently unclear whether the malicious update was made by the original developer or if their credentials were compromised by hackers who then made aiocpa on PyPI malicious.

How the Attack Worked

The first signs of malicious activity appeared in version 0.1.13. In this version, the sync.py Python script was modified to decode and execute an obfuscated block of code immediately after the package was installed.

“This particular blob is recursively encoded and compressed 50 times,” Phylum researchers explained, adding that it was used to capture and steal the victim’s Crypto Pay API token via a Telegram bot.

Crypto Pay is promoted as a payment system based on the Crypto Bot in Telegram, allowing users to accept cryptocurrency payments and make transfers using its API.

Security Implications

“As practice shows, attackers may intentionally keep source code repositories clean while distributing their malicious packages in ecosystems,” the researchers concluded. “This attack serves as a reminder that just because a package was safe in the past, it does not guarantee its safety in the future.”