Open source packages with millions of installs hacked to harvest AWS credentials

A screen showing code written in Python, with purple light reflecting off the surface
(Image credit: Bigstock)

Software developers and cyber security experts have discovered a new software supply chain hack that is attempting to harvest Amazon Web Services (AWS) cloud credentials.

The compromise of two popular open-source packages - Python’s eight-year-old CTX and PHP’s phpass - has led to developers scrambling to understand their exposure to the threat.

A combined 3 million users are believed to be affected by the compromise of the open-source packages and there is already a report of the attack affecting one business.

Businesses that rely on either package are advised to check that they have not auto-updated on any projects. If there is a potential compromise, experts are advising that all credentials are updated. All downloads of the affected open-source packages within the last week should be analysed in particular.

The incident was originally spotted by an individual who noticed that the CTX package had been updated to include malicious code. The CTX library is dedicated to allowing developers to use a dot notation to access items held in a dictionary.

The code added to the library sends all the user’s environment variables, such as access credentials, to a URL. One hacker who cross-referenced other projects associated with the URL’s domain found the PHP package also compromised.

The phpass package is a portable PHP password-hashing framework with more than 2.5 million installs. The malicious code added to phpass shows the package attempting to locate ‘AWS_ACCESS_KEY_ID’ and ‘AWS_SECRET_ACCESS_KEY’ before sending them back to the same domain as the one included in the compromised Python library.

The change to Python’s CTX, complete with the addition of the same malicious code added to phpass, was originally announced two days ago by a user with an alias of ‘SocketPuppets’. After looking at social media post history, the account claims to have published Medium blogs that contain contact information for a seemingly online alias ‘aydinnyunus’.

Looking at the social media, GitHub, and StackExchange accounts associated with aydinnyunus, the identity leads to a university student - though official attribution has not yet been made.


The state of email security 2022

Confronting the new wave of cyber attacks


According to one analysis, it appears the Python library was compromised after the maintainer’s domain name had expired and the attacker registered it last week, allowing them to take over the original library by registering a corresponding email to receive a password reset email.

The maintainer of phpass deleted their account, according to a separate analysis, and the attacker is thought to have taken the user name given that the same user name that created the package nearly ten years ago now belongs to a nine-day-old account.

The Python CTX library has since been removed by The Python Package Index but is still available on GitHub at the time of writing.

Spotlight on the software supply chain

The focus on the open-source software supply chain has been heightened in recent months as a consequence of the hysteria surrounding the Log4Shell vulnerability at the end of 2021.

The critical and highly difficult-to-locate vulnerability rocked the cyber security community and given the potential ramifications, it put security professionals on high alert for similar threats to businesses.

A few months later, there was another scare around the Spring4Shell vulnerability that again targeted an open-source Java library, though a fix came much sooner and the reported fallout was much less severe than with Log4Shell.

The high-profile discoveries have nonetheless left a legacy on the security industry, as MITRE announced last week that has built a prototype framework that helps to identify vulnerabilities in software before big scares like the one caused by Log4Shell can happen again.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.