PyPI package 'ctx' and PHP library 'phpass' hijacked to obtain AWS keys

PyPI package 'ctx' and PHP library 'phpass' hijacked to obtain AWS keys

Image:
PyPI package 'ctx' and PHP library 'phpass' hijacked to obtain AWS keys

Both attacks appears to be the work of the same actor

Security researchers this week identified two corrupt Python and PHP packages in what appears to be yet another instance of a software supply chain attack targeting the open-source ecosystem.

Python Package Index (PyPI) module 'ctx' is one of the packages in question, with over 20,000 downloads each week.

The second concerns a forked PHP project 'phpass' that suffered what researchers have previously characterised as repo-hijacking attacks, with the project corrupted to include a malicious payload.

Despite their popularity, the phpass and ctx library modules do not seem to have been updated since they were first uploaded to repositories in 2012 and 2014, respectively

The compromised ctx package was first discovered by Reddit user 'jimtk'.

Ax Sharma, senior security researcher at Sonatype, said in a blog post that ctx was likely compromised sometime this month and was changed to exfiltrate developer's environment variables to an external server.

ctx is a Python module that enables developers to handle their dictionary (dict) objects in a number of ways.

The package's creator hasn't touched it since 2014. However, from May 15th and continuing this week, newer versions (0.2.2, 0.2.6, and higher) with malicious code appeared, that upload the developer's environment variables to a Heroku endpoint after applying base64 encoding.

According to Sonatype, ctx was replaced in the PyPI registry by versions containing the malicious code as of May 21st, 2022.

The malicious ctx versions have now been removed from PyPI.

Security researcher Yee Ching Tok at the SANS Internet Storm Centre said that malicious code was inserted in ctx in order to acquire the AWS access key ID, machine name and the AWS secret access key when a dictionary is created.

The compromise seems to be the consequence of the ctx maintainer's domain name expiring, with an attacker acquiring access to the account.

In a similar attack, malicious copies of the 'hautelook/phpass' - an immensely popular Composer/PHP package - were published to the Packagist repository.

Somdev Sangwan, an ethical hacker, was the first to reveal the compromise of phpass, claiming that corrupted versions were stealing developers' AWS secret keys.

phpass is an open source password hashing framework used in PHP applications. Over the course of its existence, the framework has been downloaded over 2.5 million times on Packagist.

"Looks like the phpass compromise happened because the owner of the package source - 'hautelook' deleted his account and then the attacker claimed the username," Sangwan said in a series of tweets.

Commits to phpass from 5 days ago include the same endpoint as observed in the compromised ctx versions, suggesting the attacks are connected.

Jordi Boggiano, co-founder of Packagist stated on Twitter that the attack on phpass has been contained.

There has been a huge rise in supply chain attacks in recent months, especially through the npm and PyPI package repositories.

In March, more than 200 malicious packages that attempted to target Azure developers to steal personal identifiable information were removed from npm JavaScript repository.

In February, JFrog researchers said they had discovered and assisted in the removal of 25 malicious JavaScript libraries that had made their way to the official npm package registry with the intent of stealing Discord tokens and environment variables from compromised systems.