IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Open source packages with millions of installs hacked to harvest AWS credentials

Two popular open source packages used by Python and PHP developers have been quietly compromised with successful attacks already being reported

Software developers and cyber security experts have discovered a new software supply chain hack that is attempting to harvest Amazon Web Services (AWS) cloud credentials.

The compromise of two popular open-source packages - Python’s eight-year-old CTX and PHP’s phpass - has led to developers scrambling to understand their exposure to the threat. 

A combined 3 million users are believed to be affected by the compromise of the open-source packages and there is already a report of the attack affecting one business.

Businesses that rely on either package are advised to check that they have not auto-updated on any projects. If there is a potential compromise, experts are advising that all credentials are updated. All downloads of the affected open-source packages within the last week should be analysed in particular.

The incident was originally spotted by an individual who noticed that the CTX package had been updated to include malicious code. The CTX library is dedicated to allowing developers to use a dot notation to access items held in a dictionary. 

The code added to the library sends all the user’s environment variables, such as access credentials, to a URL. One hacker who cross-referenced other projects associated with the URL’s domain found the PHP package also compromised.

The phpass package is a portable PHP password-hashing framework with more than 2.5 million installs. The malicious code added to phpass shows the package attempting to locate ‘AWS_ACCESS_KEY_ID’ and ‘AWS_SECRET_ACCESS_KEY’ before sending them back to the same domain as the one included in the compromised Python library. 

The change to Python’s CTX, complete with the addition of the same malicious code added to phpass, was originally announced two days ago by a user with an alias of ‘SocketPuppets’. After looking at social media post history, the account claims to have published Medium blogs that contain contact information for a seemingly online alias ‘aydinnyunus’.

Looking at the social media, GitHub, and StackExchange accounts associated with aydinnyunus, the identity leads to a university student - though official attribution has not yet been made.

Related Resource

The state of email security 2022

Confronting the new wave of cyber attacks

Whitepaper cover with image of a man walking along a beach, with a line graph overlayFree Download

According to one analysis, it appears the Python library was compromised after the maintainer’s domain name had expired and the attacker registered it last week, allowing them to take over the original library by registering a corresponding email to receive a password reset email.

The maintainer of phpass deleted their account, according to a separate analysis, and the attacker is thought to have taken the user name given that the same user name that created the package nearly ten years ago now belongs to a nine-day-old account.

The Python CTX library has since been removed by The Python Package Index but is still available on GitHub at the time of writing.

Spotlight on the software supply chain

The focus on the open-source software supply chain has been heightened in recent months as a consequence of the hysteria surrounding the Log4Shell vulnerability at the end of 2021. 

The critical and highly difficult-to-locate vulnerability rocked the cyber security community and given the potential ramifications, it put security professionals on high alert for similar threats to businesses.

A few months later, there was another scare around the Spring4Shell vulnerability that again targeted an open-source Java library, though a fix came much sooner and the reported fallout was much less severe than with Log4Shell.

The high-profile discoveries have nonetheless left a legacy on the security industry, as MITRE announced last week that has built a prototype framework that helps to identify vulnerabilities in software before big scares like the one caused by Log4Shell can happen again.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
Attracting and retaining talent through training
Sponsored

Attracting and retaining talent through training

13 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022