Widely used Python and PHP libraries compromised

PyPI took down the malicious ctx versions soon, however, reports still indicate the presence of malicious code within all ctx versions.
PHP attack

In a software supply chain attack, PyPI module ctx has been compromised. By this attack, the safer version of this module (which is downloaded 20,000 times a week) was replaced with code that exfiltrates the developer’s environment variables to collect secret codes like Amazon AWS keys. 

‘Ctx’ is a minimal Python module that lets developers manipulate dictionary ‘dict’ objects in a number of ways. Interestingly, after remaining untouched for 8 years, newer versions started emerging on May 15 and contained malicious code. PyPI took down the malicious ctx versions soon, however, reports still indicate the presence of malicious code within all ctx versions.

THE BELAMY

Sign up for your weekly dose of what's up in emerging technology.

Further, the attacker versions of PHPass fork, which are published to the PHP/Composer package repository Packagist, were altered to steal confidential keys and credentials. PHPass is an open-source password hashing framework that can be used in PHP applications. Released in 2005, the framework has been downloaded over 2.5 million times on Packagist. As per reports, malicious commits were made to PHPass project this week to steal environment variables.

The presence of identical logic and Heroku endpoints within the PyPI and PHP packages indicate a common threat actor being responsible for both of these hijacks. While there are few suspicions around the identity of the attackers, experts are not ruling out the possibility of a PoC exercise gone wrong.

More Great AIM Stories

Shraddha Goled
I am a technology journalist with AIM. I write stories focused on the AI landscape in India and around the world with a special interest in analysing its long term impact on individuals and societies. Reach out to me at shraddha.goled@analyticsindiamag.com.

Our Upcoming Events

Masterclass, Virtual
How to achieve real-time AI inference on your CPU
7th Jul

Conference, in-person (Bangalore)
Cypher 2022
21-23rd Sep

Conference, Virtual
Deep Learning DevCon 2022
29th Oct

3 Ways to Join our Community

Discord Server

Stay Connected with a larger ecosystem of data science and ML Professionals

Telegram Channel

Discover special offers, top stories, upcoming events, and more.

Subscribe to our newsletter

Get the latest updates from AIM
MOST POPULAR
[class^="wpforms-"]
[class^="wpforms-"]