IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Open source packages with millions of installs hacked to harvest AWS credentials

Two popular open source packages used by Python and PHP developers have been quietly compromised with successful attacks already being reported

Software developers and cyber security experts have discovered a new software supply chain hack that is attempting to harvest Amazon Web Services (AWS) cloud credentials.

The compromise of two popular open-source packages - Python’s eight-year-old CTX and PHP’s phpass - has led to developers scrambling to understand their exposure to the threat. 

A combined 3 million users are believed to be affected by the compromise of the open-source packages and there is already a report of the attack affecting one business.

Businesses that rely on either package are advised to check that they have not auto-updated on any projects. If there is a potential compromise, experts are advising that all credentials are updated. All downloads of the affected open-source packages within the last week should be analysed in particular.

The incident was originally spotted by an individual who noticed that the CTX package had been updated to include malicious code. The CTX library is dedicated to allowing developers to use a dot notation to access items held in a dictionary. 

The code added to the library sends all the user’s environment variables, such as access credentials, to a URL. One hacker who cross-referenced other projects associated with the URL’s domain found the PHP package also compromised.

The phpass package is a portable PHP password-hashing framework with more than 2.5 million installs. The malicious code added to phpass shows the package attempting to locate ‘AWS_ACCESS_KEY_ID’ and ‘AWS_SECRET_ACCESS_KEY’ before sending them back to the same domain as the one included in the compromised Python library. 

The change to Python’s CTX, complete with the addition of the same malicious code added to phpass, was originally announced two days ago by a user with an alias of ‘SocketPuppets’. After looking at social media post history, the account claims to have published Medium blogs that contain contact information for a seemingly online alias ‘aydinnyunus’.

Looking at the social media, GitHub, and StackExchange accounts associated with aydinnyunus, the identity leads to a university student - though official attribution has not yet been made.

Related Resource

The state of email security 2022

Confronting the new wave of cyber attacks

Whitepaper cover with image of a man walking along a beach, with a line graph overlayFree Download

According to one analysis, it appears the Python library was compromised after the maintainer’s domain name had expired and the attacker registered it last week, allowing them to take over the original library by registering a corresponding email to receive a password reset email.

The maintainer of phpass deleted their account, according to a separate analysis, and the attacker is thought to have taken the user name given that the same user name that created the package nearly ten years ago now belongs to a nine-day-old account.

The Python CTX library has since been removed by The Python Package Index but is still available on GitHub at the time of writing.

Spotlight on the software supply chain

The focus on the open-source software supply chain has been heightened in recent months as a consequence of the hysteria surrounding the Log4Shell vulnerability at the end of 2021. 

The critical and highly difficult-to-locate vulnerability rocked the cyber security community and given the potential ramifications, it put security professionals on high alert for similar threats to businesses.

A few months later, there was another scare around the Spring4Shell vulnerability that again targeted an open-source Java library, though a fix came much sooner and the reported fallout was much less severe than with Log4Shell.

The high-profile discoveries have nonetheless left a legacy on the security industry, as MITRE announced last week that has built a prototype framework that helps to identify vulnerabilities in software before big scares like the one caused by Log4Shell can happen again.

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download


Organisations are scaling back their open source software due to security fears – Anaconda
open source

Organisations are scaling back their open source software due to security fears – Anaconda

15 Sep 2022

Most Popular

The big PSTN switch off: What’s happening between now and 2025?

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Why – and how – IP can be the hero in your digital transformation success story

Why – and how – IP can be the hero in your digital transformation success story

6 Mar 2023
What is GPT-4?
artificial intelligence (AI)

What is GPT-4?

15 Mar 2023