bitcoin
bitcoin

$91796.74 USD 

-3.24%

ethereum
ethereum

$3289.99 USD 

-4.81%

tether
tether

$1.00 USD 

0.03%

solana
solana

$227.05 USD 

-5.27%

bnb
bnb

$607.51 USD 

-5.73%

xrp
xrp

$1.36 USD 

-7.34%

dogecoin
dogecoin

$0.377435 USD 

-6.66%

usd-coin
usd-coin

$0.999854 USD 

-0.02%

cardano
cardano

$0.929070 USD 

-8.35%

avalanche
avalanche

$41.34 USD 

-1.41%

tron
tron

$0.190820 USD 

-3.89%

toncoin
toncoin

$5.90 USD 

-3.99%

shiba-inu
shiba-inu

$0.000024 USD 

-6.64%

stellar
stellar

$0.435354 USD 

-15.05%

polkadot-new
polkadot-new

$7.97 USD 

-6.89%

加密货币新闻

基于加密机器人的支付系统 Crypto Pay 受到软件供应链入侵

2024/11/26 22:09

据《黑客新闻》报道,基于 Crypto Bot 的支付系统 Crypto Pay 的 Python Package Index 存储库中的 aiocpa 库被恶意更新,以方便通过 Telegram 窃取私钥,这是新软件供应链入侵的一部分。

基于加密机器人的支付系统 Crypto Pay 受到软件供应链入侵

Cryptocurrency payment service Crypto Pay has fallen victim to a software supply chain attack, with its aiocpa library on the Python Package Index (PyPI) repository being maliciously updated to steal private keys via Telegram, The Hacker News reports.

据《黑客新闻》报道,加密货币支付服务 Crypto Pay 已成为软件供应链攻击的受害者,Python 包索引 (PyPI) 存储库上的 aiocpa 库被恶意更新,以通过 Telegram 窃取私钥。

The initial compromise of the package, a synchronous and asynchronous Crypto API client that has since been removed from PyPI, was noted with "sync.py" script modifications in aiocpa version 0.1.13 that executed a blob code subjected to multiple encoding and compression layers, ultimately enabling Telegram bot-based exfiltration of Crypto Pay API tokens, according to a report from Phylum, which has not yet definitively attributed the package compromise to a specific actor.

该包的最初危害是一个同步和异步加密 API 客户端,现已从 PyPI 中删除,并在 aiocpa 版本 0.1.13 中的“sync.py”脚本修改中注意到,该脚本执行了受多个编码和压缩层影响的 blob 代码根据 Phylum 的一份报告,最终实现了基于 Telegram 机器人的 Crypto Pay API 令牌的渗透,该报告尚未明确将软件包泄露归咎于特定参与者。

"As evidenced here, attackers can deliberately maintain clean source repos while distributing malicious packages to the ecosystems," said Phylum, which urged developers to perform PyPI package source code scanning before downloading packages to mitigate potential compromise.

Phylum 表示:“正如这里所证明的那样,攻击者可以故意维护干净的源代码库,同时向生态系统分发恶意软件包。”它敦促开发人员在下载软件包之前执行 PyPI 软件包源代码扫描,以减轻潜在的危害。

新闻来源:www.scworld.com

免责声明:info@kdj.com

所提供的信息并非交易建议。根据本文提供的信息进行的任何投资,kdj.com不承担任何责任。加密货币具有高波动性,强烈建议您深入研究后,谨慎投资!

如您认为本网站上使用的内容侵犯了您的版权,请立即联系我们(info@kdj.com),我们将及时删除。

2024年11月27日 发表的其他文章
更多