IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Open source packages with millions of installs hacked to harvest AWS credentials

Two popular open source packages used by Python and PHP developers have been quietly compromised with successful attacks already being reported

Software developers and cyber security experts have discovered a new software supply chain hack that is attempting to harvest Amazon Web Services (AWS) cloud credentials.

The compromise of two popular open-source packages - Python’s eight-year-old CTX and PHP’s phpass - has led to developers scrambling to understand their exposure to the threat. 

A combined 3 million users are believed to be affected by the compromise of the open-source packages and there is already a report of the attack affecting one business.

Businesses that rely on either package are advised to check that they have not auto-updated on any projects. If there is a potential compromise, experts are advising that all credentials are updated. All downloads of the affected open-source packages within the last week should be analysed in particular.

The incident was originally spotted by an individual who noticed that the CTX package had been updated to include malicious code. The CTX library is dedicated to allowing developers to use a dot notation to access items held in a dictionary. 

The code added to the library sends all the user’s environment variables, such as access credentials, to a URL. One hacker who cross-referenced other projects associated with the URL’s domain found the PHP package also compromised.

The phpass package is a portable PHP password-hashing framework with more than 2.5 million installs. The malicious code added to phpass shows the package attempting to locate ‘AWS_ACCESS_KEY_ID’ and ‘AWS_SECRET_ACCESS_KEY’ before sending them back to the same domain as the one included in the compromised Python library. 

The change to Python’s CTX, complete with the addition of the same malicious code added to phpass, was originally announced two days ago by a user with an alias of ‘SocketPuppets’. After looking at social media post history, the account claims to have published Medium blogs that contain contact information for a seemingly online alias ‘aydinnyunus’.

Looking at the social media, GitHub, and StackExchange accounts associated with aydinnyunus, the identity leads to a university student - though official attribution has not yet been made.

Related Resource

The state of email security 2022

Confronting the new wave of cyber attacks

Whitepaper cover with image of a man walking along a beach, with a line graph overlayFree Download

According to one analysis, it appears the Python library was compromised after the maintainer’s domain name had expired and the attacker registered it last week, allowing them to take over the original library by registering a corresponding email to receive a password reset email.

The maintainer of phpass deleted their account, according to a separate analysis, and the attacker is thought to have taken the user name given that the same user name that created the package nearly ten years ago now belongs to a nine-day-old account.

The Python CTX library has since been removed by The Python Package Index but is still available on GitHub at the time of writing.

Spotlight on the software supply chain

The focus on the open-source software supply chain has been heightened in recent months as a consequence of the hysteria surrounding the Log4Shell vulnerability at the end of 2021. 

The critical and highly difficult-to-locate vulnerability rocked the cyber security community and given the potential ramifications, it put security professionals on high alert for similar threats to businesses.

A few months later, there was another scare around the Spring4Shell vulnerability that again targeted an open-source Java library, though a fix came much sooner and the reported fallout was much less severe than with Log4Shell.

The high-profile discoveries have nonetheless left a legacy on the security industry, as MITRE announced last week that has built a prototype framework that helps to identify vulnerabilities in software before big scares like the one caused by Log4Shell can happen again.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Samsung proposes 11 Texas semiconductor plants worth $191 billion

Samsung proposes 11 Texas semiconductor plants worth $191 billion

21 Jul 2022
Should you take your password manager off the internet?

Should you take your password manager off the internet?

28 Jul 2022