Security News > 2022 > May > Popular PyPI and PHP libraries hijacked to steal AWS keys
PyPI module 'ctx' that gets downloaded over 20,000 times a week has been compromised in a software supply chain attack with malicious versions stealing the developer's environment variables.
The threat actor even replaced the older, safe versions of 'ctx' with code that exfiltrates the developer's environment variables, to collect secrets like Amazon AWS keys and credentials.
Heavily downloaded PyPI package 'ctx' has been compromised sometime this month with newly published versions exfiltrating your environment variables to an external server.
Although PyPI has taken down the malicious 'ctx' versions as of a few hours ago, copies retrieved from Sonatype's malware archives show presence of malicious code within all 'ctx' versions.
PHP package 'phpass' altered to steal AWS credentials.
The presence of identical logic and Heroku endpoints within the PyPI and PHP packages indicate a common threat actor being responsible for both of these hijacks.