基於加密機器人的支付系統 Crypto Pay 受到軟體供應鏈入侵

根據《駭客新聞》報導，基於 Crypto Bot 的支付系統 Crypto Pay 的 Python Package Index 儲存庫中的 aiocpa 庫被惡意更新，以方便透過 Telegram 竊取私鑰，這是新軟體供應鏈入侵的一部分。

Cryptocurrency payment service Crypto Pay has fallen victim to a software supply chain attack, with its aiocpa library on the Python Package Index (PyPI) repository being maliciously updated to steal private keys via Telegram, The Hacker News reports.

根據《駭客新聞》報道，加密貨幣支付服務 Crypto Pay 已成為軟體供應鏈攻擊的受害者，Python 套件索引 (PyPI) 儲存庫上的 aiocpa 庫被惡意更新，以透過 Telegram 竊取私鑰。

The initial compromise of the package, a synchronous and asynchronous Crypto API client that has since been removed from PyPI, was noted with "sync.py" script modifications in aiocpa version 0.1.13 that executed a blob code subjected to multiple encoding and compression layers, ultimately enabling Telegram bot-based exfiltration of Crypto Pay API tokens, according to a report from Phylum, which has not yet definitively attributed the package compromise to a specific actor.

該套件的最初危害是一個同步和非同步加密API 用戶端，現已從PyPI 中刪除，並在aiocpa 版本0.1.13 中的「sync.py」腳本修改中註意到，該腳本執行了受多個編碼和壓縮層影響的blob 程式碼根據 Phylum 的一份報告，最終實現了基於 Telegram 機器人的 Crypto Pay API 令牌的滲透，該報告尚未明確將軟體包洩漏歸咎於特定參與者。

"As evidenced here, attackers can deliberately maintain clean source repos while distributing malicious packages to the ecosystems," said Phylum, which urged developers to perform PyPI package source code scanning before downloading packages to mitigate potential compromise.

Phylum 表示：「正如這裡所證明的那樣，攻擊者可以故意維護乾淨的源代碼庫，同時向生態系統分發惡意軟體包。」它敦促開發人員在下載軟體包之前執行PyPI 軟體包源代碼掃描，以減輕潛在的危害。