PYSEC-2024-152

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/aiocpa/PYSEC-2024-152.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2024-152

Published

2024-11-25T20:45:43.420620Z

Modified

2024-11-25T19:30:00Z

Summary

aiocpa 0.1.13 contains credential harvesting code

Details

aiocpa is a user-facing library for generating color gradients of text. Version 0.1.13 introduced obfuscated, malicious code targeting Crypto Pay users, forwarding client credentials to a remote Telegram bot. All versions have been removed from PyPI.

References

https://inspector.pypi.io/project/aiocpa/0.1.13/packages/ab/98/7343281068a2c39086d0b877219668a487508197f46e89b3f41046a4a8ba/aiocpa-0.1.13.tar.gz/aiocpa-0.1.13/cryptopay/utils/sync.py#line.44
https://blog.pypi.org/posts/2024-11-25-aiocpa-attack-analysis/

Credits

- Karlo Zanki - REPORTER
- Mike Fiedler - COORDINATOR

Affected packages

PyPI / aiocpa

Package

Name: aiocpa; View open source insights on deps.dev
Purl: pkg:pypi/aiocpa

Affected ranges

Affected versions

0.*

0.1.13

0.1.14