Researchers have discovered a number of malicious Python packages in the official third-party software repository that are engineered to exfiltrate AWS credentials and environment variables to a publicly exposed endpoint.
The list of packages includes loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils, according to Sonatype security researcher Ax Sharma. The packages and as well as the endpoint have now been taken down.
“Some of these packages either contain code that reads and exfiltrates your secrets or use one of the dependencies that will do the job,” Sharma said.
The malicious code injected into “loglib-modules” and “pygrata-utils” allow the packages to harvest AWS credentials, network interface information, and environment variables and export them to a remote endpoint: “hxxp://graph.pygrata[.]com:8000/upload.”
Troublingly, the endpoints hosting this information in the form of hundreds of .TXT files were not secured by any authentication barrier, effectively permitting any party on the web to access these credentials.
It’s noteworthy that packages like “pygrata” use one of the aforementioned two modules as a dependency and do not harbor the code themselves. The identity of the threat actor and their motives remain unclear.
“Were the stolen credentials being intentionally exposed on the web or a consequence of poor OPSEC practices?,” Sharma questioned. “Should this be some kind of legitimate security testing, there surely isn’t much information at this time to rule out the suspicious nature of this activity.”
This is not the first time such rogue packages have been unearthed on open source repositories. Exactly a month back, two trojanized Python and PHP packages, named ctx and phpass, were uncovered in yet another instance of a software supply chain attack.
An Istanbul-based security researcher, Yunus Aydın, subsequently, claimed responsibility for the unauthorized modifications, stating he merely wanted to “show how this simple attack affects +10M users and companies.”
In a similar vein, a German penetration testing company named Code White-owned up last month to uploading malicious packages to the NPM registry in a bid to realistically mimic dependency confusion attacks targeting its customers in the country, most of which are prominent media, logistics, and industrial firms.
Suggest an edit to this article
Go to Cybersecurity Knowledge Base
Got to the Latest Cybersecurity News
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
