25 May 2022

Popular Python and PHP libraries altered to steal AWS keys


Popular Python and PHP libraries altered to steal AWS keys

A popular Python module “ctx” available in the PyPi repository for Phyton software libraries has been compromised in what appears to be yet another supply chain attack.

Ctx is a simple package that allows to access dictionary items using the dot notation, which has about 22,000 downloads per week. Despite its popularity, the original package was last uploaded to PyPi on December 19, 2014. However, on and after May 14, 2022, new versions were uploaded containing an “extra feature” designed to steal secrets like Amazon AWS keys and credentials. The stolen data was sent to a Heroku URL named 'anti-theft-web.herokuapp[.]com.'.

The investigation revealed that the original maintainer's domain name had expired, and the perpetrator registered it on May 14, 2022. With control over the original domain name, the malicious actor could have created a corresponding e-mail to receive a password reset e-mail, remove the old package and upload trojanized versions.

The attackers uploaded three backdoored versions of ctx - 0.1.2, 0.2.2 and 0.2.6. The “new” ctx 0.1.2 version contained code designed to retrieve the AWS access key ID, computer name and the AWS secret access key when a dictionary is created. In the case of ctx v.0.2.6, the attacker attempted to obtain all the environment variables.

Additionally, security researchers have found another compromised library designed to help threat actors to obtain AWS credentials. The library in question is PHPass, a portable PHP password hashing framework. It was found that a compromised version of PHPass uploaded to the Packagist repository also contained the same malicious domain.

Both impacted libraries have been removed from PyPi and GitHub.


Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024