GHSA-486g-47cc-8wxf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-486g-47cc-8wxf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-486g-47cc-8wxf/GHSA-486g-47cc-8wxf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-486g-47cc-8wxf
- Published
- 2024-11-25T22:08:57Z
- Modified
- 2024-11-25T22:08:57Z
- Severity
-
- 8.3 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- aiocpa contains credential harvesting code
- Details
-
aiocpa is a user-facing library for generating color gradients of text. Version 0.1.13 introduced obfuscated, malicious code targeting Crypto Pay users, forwarding client credentials to a remote Telegram bot. All versions have been removed from PyPI.
- Database specific
{ "github_reviewed_at": "2024-11-25T22:08:57Z", "cwe_ids": [], "nvd_published_at": null, "severity": "HIGH", "github_reviewed": true }- References
-
- https://blog.pypi.org/posts/2024-11-25-aiocpa-attack-analysis
- https://github.com/pypa/advisory-database/tree/main/vulns/aiocpa/PYSEC-2024-152.yaml
- https://inspector.pypi.io/project/aiocpa/0.1.13/packages/ab/98/7343281068a2c39086d0b877219668a487508197f46e89b3f41046a4a8ba/aiocpa-0.1.13.tar.gz/aiocpa-0.1.13/cryptopay/utils/sync.py#line.44
Affected packages
PyPI / aiocpa
Package
- Name
- aiocpa
- View open source insights on deps.dev
- Purl
- pkg:pypi/aiocpa