Security News > 2022 > May > Popular Python and PHP libraries hijacked to steal AWS keys
2022-05-24 11:42
The threat actor even replaced the older, safe versions of 'ctx' with code that exfiltrates the developer's environment variables, to collect secrets like Amazon AWS keys and credentials.
Versions of a 'phpass' fork published to the PHP/Composer package repository Packagist had been altered to steal secrets in a similar fashion.
Python library 'ctx' uploads secrets to a Heroku endpoint.
'ctx' is a minimal Python module that lets developers manipulate their dictionary objects in a variety of ways.
PHP package 'phpass' altered to steal AWS credentials.
In an identical attack, the fork of an immensely popular Composer/PHP package, 'hautelook/phpass' was compromised with malicious versions published to the Packagist repository.