Multiple backdoored Python libraries caught stealing AWS secrets and keys


Researchers have discovered a number of malicious Python packages in the official third-party software repository designed to exfiltrate AWS credentials and environment variables to a publicly visible endpoint.

The list of packages includes loglib-modules, pyg-modules, pygrata, pygrata-utils and hkg-sol-utils, according to Sonatype security researcher Ax Sharma. The packages and also the endpoint are now removed.

“Some of these packages either contain code that reads and exfiltrates your secrets or uses one of the dependencies that will do the job,” Sharma said

The malicious code injected into “loglib-modules” and “pygrata-utils” allows the packages to collect AWS credentials, network interface information, and environment variables and export them to a remote endpoint: “hxxp:// graph.pygrata[.]com:8000/upload.”

Disturbingly, the endpoints hosting this information in the form of hundreds of .TXT files were not secured by any authentication barrier, effectively allowing any party on the Internet to access these credentials.

It is noteworthy that packages such as “pygrata” use one of the above two modules as a dependency and do not house the code itself. The identity of the threat actor and their motives remain unclear.

“Were the stolen credentials being published on the internet intentionally or were they the result of bad OPSEC practices?” Sharma wondered. “If this were some sort of legitimate security test, there certainly isn’t much information at this point to rule out the suspicious nature of this activity.”

This is not the first time such rogue packages have been unearthed in open source repositories. Exactly one month ago, two trojanized Python and PHP packages, called ctx and phpass, were discovered in yet another case of a software supply chain attack.

An Istanbul-based security researcher, Yunus Aydın, then claimed responsibility for the unauthorized changes, stating that he just wanted to “show how this simple attack affects more than 10 million users and businesses”.

In a similar vein, a German penetration testing company called Code White last month featured uploading malicious packages to the NPM registry in an attempt to realistically mimic dependency confusion attacks targeting its customers in the country, most of which featured prominent media outlets. , logistics, and industrial companies.