GHSA-486g-47cc-8wxf: aiocpa contains credential harvesting code
aiocpa is a user-facing library for generating color gradients of text. Version 0.1.13 introduced obfuscated, malicious code targeting Crypto Pay users, forwarding client credentials to a remote Telegram bot. All versions have been removed from PyPI.
References
- blog.pypi.org/posts/2024-11-25-aiocpa-attack-analysis
- github.com/advisories/GHSA-486g-47cc-8wxf
- github.com/pypa/advisory-database/tree/main/vulns/aiocpa/PYSEC-2024-152.yaml
- inspector.pypi.io/project/aiocpa/0.1.13/packages/ab/98/7343281068a2c39086d0b877219668a487508197f46e89b3f41046a4a8ba/aiocpa-0.1.13.tar.gz/aiocpa-0.1.13/cryptopay/utils/sync.py
Detect and mitigate GHSA-486g-47cc-8wxf with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →