id: PYSEC-2024-152
modified: 2024-11-25T19:30:00Z
summary: aiocpa 0.1.13 contains credential harvesting code
details: |
  aiocpa is a user-facing library for generating color gradients of text.
  Version 0.1.13 introduced obfuscated, malicious code targeting
  Crypto Pay users, forwarding client credentials to a remote Telegram bot.
  All versions have been removed from PyPI.
affected:
- package:
    ecosystem: PyPI
    name: aiocpa
    purl: pkg:pypi/aiocpa
  versions:
  - 0.1.13
  - 0.1.14
references:
- type: EVIDENCE
  url: https://inspector.pypi.io/project/aiocpa/0.1.13/packages/ab/98/7343281068a2c39086d0b877219668a487508197f46e89b3f41046a4a8ba/aiocpa-0.1.13.tar.gz/aiocpa-0.1.13/cryptopay/utils/sync.py#line.44
- type: WEB
  url: https://blog.pypi.org/posts/2024-11-25-aiocpa-attack-analysis/
credits:
- name: Karlo Zanki
  type: REPORTER
- name: Mike Fiedler
  type: COORDINATOR