May 26, 2022 13:00:00

The programming languages Python and PHP libraries have been hijacked to release malicious versions and collect developer information.

It turns out that one of the popular modules for using the programming language

Python for development, 'ctx', had undergone malicious changes that compromised the information of the developer who acquired the module. It is also reported that 'phpass', a module that has been downloaded more than 2.5 million times in PHP , an open source programming language, also contained a malicious version.

Popular Python and PHP libraries hijacked to steal AWS keys
https://www.bleepingcomputer.com/news/security/popular-python-and-php-libraries-hijacked-to-steal-aws-keys/

PyPI package'ctx' and PHP library'phpass' compromised to steal environment variables
https://blog.sonatype.com/pypi-package-ctx-compromised-are-you-at-risk

'Ctx' is a Python module that allows developers to work with ' dictionary objects ' in a variety of ways, and is a popular package that is downloaded over 20,000 times a week. It hasn't been updated by developers for a while since 2014, and a new version appeared on May 15, 2022 after a long time, but it turned out that malicious code was added.

by

Sonatype

A scrutiny by the security research team at Sonatype, a software security company in the United States, has shown that all versions of 'ctx' contain malicious code. Sonatypereports that not only the malicious version removed from the Python Package Index (PyPI), but also version 0.1.2, which has not changed since 2014, was replaced by the malicious version as well.

by Sonatype

In addition, hacker Samdeb Sangwan said on May 24, 2022, 'The PHP package'phpass' contains malicious code, which may compromise the AWS (Amazon Web Services) key. There is. '

???? ALERT ????

Python's ctx library and a fork of PHP's phpass have been compromised. 3 million users combined.

The malicious code sends all the environment variables to a heroku app, likely to mine AWS credentials.

— Somdev Sangwan (@ s0md3v) May 24, 2022

A breach of 'phpass' is considered a similar attack due to a malicious version update. phpass has been downloaded more than 2.5 million times since it was released in 2005, and although the number of downloads since it was updated to a malicious version is unknown, it is said that a certain number of users have been compromised due to a popular package. Have been seen.

When the malicious 'ctx' module is installed, it collects and uploads all variables in the development environment. Also, it seems that the changed file in 'phpass' was designed to specifically search for the values of 'AWS_ACCESS_KEY' and 'AWS_SECRET_KEY' in the installed environment and upload them to the same point.

'These attacks were by the same person, and their identities have been revealed,' the researchers said, and refrained from making specific announcements until details were revealed. increase. Researchers read this type of attack as 'repojacking' (repository hijacking), which can be malicious if a repository that hasn't been updated for many years suddenly changes. I am calling attention to the fact that there is.