Security News

Two trojanized Python and PHP packages have been uncovered in what's yet another instance of a software supply chain attack targeting the open source ecosystem. One of the packages in question is "Ctx," a Python module available in the PyPi repository.

A keen-eyed researcher at SANS recently wrote about a new and rather specific sort of supply chain attack against open-source software modules in Python and PHP. Following on-line discussions about a suspicious public Python module, Yee Ching Tok noted that a package called ctx in the popular PyPi repository had suddenly received an "Update", despite not otherwise being touched since late 2014. In theory, of course, there's nothing wrong with old packages suddenly coming back to life.

The hacker behind this hijack has now broken silence and explained his reasons to BleepingComputer. The hijacker of these libraries is an Istanbul-based security researcher, Yunus Aydın aka SockPuppets, who has attested to the fact when approached by BleepingComputer.

The threat actor even replaced the older, safe versions of 'ctx' with code that exfiltrates the developer's environment variables, to collect secrets like Amazon AWS keys and credentials. Versions of a 'phpass' fork published to the PHP/Composer package repository Packagist had been altered to steal secrets in a similar fashion.

PyPI module 'ctx' that gets downloaded over 20,000 times a week has been compromised in a software supply chain attack with malicious versions stealing the developer's environment variables. The threat actor even replaced the older, safe versions of 'ctx' with code that exfiltrates the developer's environment variables, to collect secrets like Amazon AWS keys and credentials.

LemonDuck, a cross-platform cryptocurrency mining botnet, is targeting Docker to mine cryptocurrency on Linux systems as part of an active malware campaign. With compromised cloud instances becoming a hotbed for illicit cryptocurrency mining activities, the findings underscore the need to secure containers from potential risks throughout the software supply chain.

Amazon Web Services has updated its Log4j security patches after it was discovered the original fixes made customer deployments vulnerable to container escape and privilege escalation. The vulnerabilities introduced by Amazon's Log4j hotpatch - CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 - are all high-severity bugs rated 8.8 out of 10 on the CVSS. AWS customers using Java software in their off-prem environments should grab the latest patch set from Amazon and install.

A local file read vulnerability in Amazon's Relational Database Service could be exploited to allow an attacker to gain access to internal AWS credentials, the cloud behemoth has confirmed. While no in-the-wild attacks exploited the bug, AWS confirmed it gave researchers access "To internal credentials that were specific to their Aurora cluster."

AWS secures the underlying Lambda execution environment, yet it is up to the customer to secure the functions. Cado Labs has exposed the first publicly known case of malware specifically designed to run in an AWS Lambda environment.

Security researchers have discovered the first malware specifically developed to target Amazon Web Services Lambda cloud environments with cryptominers. AWS Lambda is a serverless computing platform for running code from hundreds of AWS services and software as a service apps without managing servers.