25 May 2022

Popular Python and PHP libraries altered to steal AWS keys


Popular Python and PHP libraries altered to steal AWS keys

A popular Python module “ctx” available in the PyPi repository for Phyton software libraries has been compromised in what appears to be yet another supply chain attack.

Ctx is a simple package that allows to access dictionary items using the dot notation, which has about 22,000 downloads per week. Despite its popularity, the original package was last uploaded to PyPi on December 19, 2014. However, on and after May 14, 2022, new versions were uploaded containing an “extra feature” designed to steal secrets like Amazon AWS keys and credentials. The stolen data was sent to a Heroku URL named 'anti-theft-web.herokuapp[.]com.'.

The investigation revealed that the original maintainer's domain name had expired, and the perpetrator registered it on May 14, 2022. With control over the original domain name, the malicious actor could have created a corresponding e-mail to receive a password reset e-mail, remove the old package and upload trojanized versions.

The attackers uploaded three backdoored versions of ctx - 0.1.2, 0.2.2 and 0.2.6. The “new” ctx 0.1.2 version contained code designed to retrieve the AWS access key ID, computer name and the AWS secret access key when a dictionary is created. In the case of ctx v.0.2.6, the attacker attempted to obtain all the environment variables.

Additionally, security researchers have found another compromised library designed to help threat actors to obtain AWS credentials. The library in question is PHPass, a portable PHP password hashing framework. It was found that a compromised version of PHPass uploaded to the Packagist repository also contained the same malicious domain.

Both impacted libraries have been removed from PyPi and GitHub.


Back to the list

Latest Posts

Researchers uncovered undetectable malware linked to Russia's APT

Researchers uncovered undetectable malware linked to Russia's APT

According to a recent report published by Palo Alto Networks, new piece of malware currently evades 56 antivirus products.  
6 July 2022
New ransomware operation RedAlert puts victims on a "board of shame"

New ransomware operation RedAlert puts victims on a "board of shame"

At this point, only one victim is listed on the RedAlert’s data leak website, indicating that the development is very new.
6 July 2022
Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Despite patching the flaw, Microsoft hasn’t provided any details about it and assigned a CVE ID yet.
6 July 2022