multiple-backdoored-python-libraries-caught-stealing-aws-secrets-and-keys

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Multiple Backdoored Python Libraries Caught Stealing AWS Secrets and Keys

Researchers have discovered a number of malicious Python packages in the official third-party software repository that are engineered to exfiltrate AWS credentials and environment variables to a publicly exposed endpoint.

The list of packages includes loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils, according to Sonatype security researcher Ax Sharma. The packages and as well as the endpoint have now been taken down.

“Some of these packages either contain code that reads and exfiltrates your secrets or use one of the dependencies that will do the job,” Sharma said.

The malicious code injected into “loglib-modules” and “pygrata-utils” allow the packages to harvest AWS credentials, network interface information, and environment variables and export them to a remote endpoint: “hxxp://graph.pygrata[.]com:8000/upload.”

Troublingly, the endpoints hosting this information in the form of hundreds of .TXT files were not secured by any authentication barrier, effectively permitting any party on the web to access these credentials.

It’s noteworthy that packages like “pygrata” use one of the aforementioned two modules as a dependency and do not harbor the code themselves. The identity of the threat actor and their motives remain unclear.

“Were the stolen credentials being intentionally exposed on the web or a consequence of poor OPSEC practices?,” Sharma questioned. “Should this be some kind of legitimate security testing, there surely isn’t much information at this time to rule out the suspicious nature of this activity.”

This is not the first time such rogue packages have been unearthed on open source repositories. Exactly a month back, two trojanized Python and PHP packages, named ctx and phpass, were uncovered in yet another instance of a software supply chain attack.

An Istanbul-based security researcher, Yunus Aydın, subsequently claimed responsibility for the unauthorized modifications, stating he merely wanted to “show how this simple attack affects +10M users and companies.”

In a similar vein, a German penetration testing company named Code White owned up last month to uploading malicious packages to the NPM registry in a bid to realistically mimic dependency confusion attacks targeting its customers in the country, most of which are prominent media, logistics, and industrial firms.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Top 6 Cell Phone Tracker Apps for Parental Control

Top 6 Cell Phone Tracker Apps for Parental Control

Do you have difficulty knowing what your kids are up to when you’re not around? Do you want to ensure…
Moses Staff Hackers Publish Footage of Jerusalem Explosion

Moses Staff Hackers Publish Footage of Jerusalem Explosion

In a dramatic series of events, an Iranian hacker group by the name of Moses Staff published footage of the…
Watch Out Gamers: Hackers Exploiting MSI Afterburner to Deliver Coin Miner

Watch Out Gamers: Hackers Exploiting MSI Afterburner to Deliver Coin Miner

Cyble Research & Intelligence Labs (CRIL) recently uncovered a phishing campaign used by threat actors to deliver cryptocurrency miner softwares…