Crypto Bot-based payment system Crypto Pay had its aiocpa library on the Python Package Index repository maliciously updated to facilitate private key theft through Telegram as part of a new software supply chain intrusion, The Hacker News reports.
Cryptocurrency payment service Crypto Pay has fallen victim to a software supply chain attack, with its aiocpa library on the Python Package Index (PyPI) repository being maliciously updated to steal private keys via Telegram, The Hacker News reports.
The initial compromise of the package, a synchronous and asynchronous Crypto API client that has since been removed from PyPI, was noted with "sync.py" script modifications in aiocpa version 0.1.13 that executed a blob code subjected to multiple encoding and compression layers, ultimately enabling Telegram bot-based exfiltration of Crypto Pay API tokens, according to a report from Phylum, which has not yet definitively attributed the package compromise to a specific actor.
"As evidenced here, attackers can deliberately maintain clean source repos while distributing malicious packages to the ecosystems," said Phylum, which urged developers to perform PyPI package source code scanning before downloading packages to mitigate potential compromise.
Disclaimer:info@kdj.com
The information provided is not trading advice. kdj.com does not assume any responsibility for any investments made based on the information provided in this article. Cryptocurrencies are highly volatile and it is highly recommended that you invest with caution after thorough research!
If you believe that the content used on this website infringes your copyright, please contact us immediately (info@kdj.com) and we will delete it promptly.
![🔴Bitcoin Ether plummeted! Great opportunity to buy at the bottom! [3/10]](/uploads/2025/03/11/cryptocurrencies-news/videos/bitcoin-ether-plummeted-opportunity-buy-bottom/image-1.jpg "🔴Bitcoin Ether plummeted! Great opportunity to buy at the bottom! [3/10]")
