A popular Python library was recently hacked, and a malicious version was installed, ostensibly to aid the attacker in obtaining AWS credentials. Sonatype, SANS Institute, and an independent researcher investigated the situation. There have been two libraries targeted in the attack, although only one of them may have had a more substantial impact.
On May 14, the Python package Ctx, which receives 22,000 downloads per week on average, was hacked on the Python Package Index (PyPI). Before this attack, the last Ctx upgrade was posted to PyPI in December 2014, although new versions were released on and after May 14. According to the investigation, the attacker renewed the domain on May 14 after the original maintainer’s domain name expired. They might have generated an email address for the password reset link if they had access to the domain.
The attacker’s Ctx versions — 0.1.2 (the last version of the original), 0.2.2, and 0.2.6 — featured the ability to steal data and upload it to a remote site controlled by the attacker. When a dictionary is formed, targeted data in one version contains AWS access key ID, computer name, and AWS secret access key. Another variant of Ctx was designed to target all environment variables.
The PHPass portable PHP password hashing framework was the second library to be stolen. In September 2021, PHPass and its original developer’s account were deactivated. The attacker appears to have claimed the developer’s username when it became accessible, giving them access to the project’s GitHub account.
Both of the affected libraries have been decommissioned. While the malicious Ctx version may have affected many people, PHPass appears to have only been installed by a few people in recent weeks. According to Sonatype, there is evidence linking the two instances. Developers who have recently downloaded one of the two packages should ensure they are not employing the malicious version. The SANS Institute provides indicators of compromise (IoC).
Last week, Sonatype discovered a malicious Python package on PyPI that seemed to be a copy of the popular PyKafka Apache Kafka client. The malicious package “pymafka” was downloaded about 300 times. It made Cobalt Strike available on Windows, macOS, and Linux.