Python libraries are being attacked for AWS keys

By Nick Heyman On May 25, 2022

When a GitHub repository that hasn’t been touched for almost a decade suddenly gets an “update”, users should be wary, as it might just be a hostile takeover with the intention of distributing viruses (opens in new tab).

That’s exactly what happened to the PyPI module “ctx”, which apparently has millions of downloads. Earlier this month, following a software supply chain attack, someone replaced the safe “ctx” code with an updated version that steals developer environment variables and collects secrets such as Amazon AWS keys and credentials.

These are then sent to a Heroku endpoint (opens in new tab)at https://anti-theft-web.herokuapp[.]com/hacked/

Repo jacking

The attack, first spotted by BleepingComputer, resulted in some 20,000 downloads.

Besides “ctx”, versions of “phpass” that were published to the PHP/Composer package repository Packagist have also been “updated” in the same way. This one also has millions of downloads.

CTX is a Python module whose last update happened in 2014. Then, eight years later, on May 15, the module was updated with a malicious code, as was spotted by Reddit users, and later confirmed by ethical hackers. PHPass, on the other hand, is an open-source password hashing framework, released in 2005, and downloaded more than two million times, so far.

PyPI took down the malicious versions a few hours after they were uploaded to the repository, but the damage had already been done, it was said. The damage done via PHPass was a lot more limited, researchers added.

Researchers are claiming both attacks were done by the same person, whose identity is “obvious”, but are refraining from naming any names before more details are unveiled.

Researchers are dubbing these types of attacks as “repo jacking” (repository hijacking), and these are hardly their first examples. Earlier this year, popular npm libraries ua-parser-js, coa, and rc have all been repo jacked to serve cryptocurrency miners and infostealers to their victims.

Via: BleepingComputer (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TheDailyCheck is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected] The content will be deleted within 24 hours.