aiocpa 0.1.13

Signed-off-by: Mike Fiedler <miketheman@gmail.com>
pypa · Nov 25, 2024 · 08598a0 · 08598a0
1 parent f3d3239
commit 08598a0
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/vulns/aiocpa/PYSEC-0000-aiocpa.yaml b/vulns/aiocpa/PYSEC-0000-aiocpa.yaml
@@ -0,0 +1,26 @@
+id: PYSEC-0000-1368
+modified: 2024-11-25T19:30:00.000000Z
+summary: aiocpa 0.1.13 contains credential harvesting code
+details: |
+  aiocpa is a user-facing library for generating color gradients of text.
+  Version 0.1.13 introduced obfuscated, malicious code targeting
+  Crypto Pay users, forwarding client credentials to a remote Telegram bot.
+  All versions have been removed from PyPI.
+affected:
+- package:
+    ecosystem: PyPI
+    name: aiocpa
+    purl: pkg:pypi/aiocpa
+  versions:
+  - "0.1.13"
+  - "0.1.14"
+references:
+- type: EVIDENCE
+  url: https://inspector.pypi.io/project/aiocpa/0.1.13/packages/ab/98/7343281068a2c39086d0b877219668a487508197f46e89b3f41046a4a8ba/aiocpa-0.1.13.tar.gz/aiocpa-0.1.13/cryptopay/utils/sync.py#line.44
+- type: WEB
+  url: https://blog.pypi.org/posts/2024-11-25-aiocpa-attack-analysis/
+credits:
+- type: REPORTER
+  name: Karlo Zanki
+- type: COORDINATOR
+  name: Mike Fiedler