Toxic Python and PHP package purloin password for AWS access


A sharp-sighted researcher at SANS recently wrote about a new and rather specific type Supply chain attack Against open source software modules in Python and PHP.

RELATED POSTS

After an online discussion about a dubious public Python module, Ye Ching Tok mentioned that a package ctx The popular PyPi repository suddenly received an “update”, although it was not touched otherwise in late 2014.

Theoretically, of course, there is nothing wrong with old packages coming back to life suddenly.

Sometimes, developers return to older projects when their regular schedule (or a guilt-ridden email from a chronic user) finally motivates them to apply some long-lasting bug fixes.

In other cases, new maintainers proceeded in good faith to revive “adware” projects.

However, packages can be the victim of confidential takeovers, where relevant account passwords are hacked, stolen, reset or otherwise compromised, making the package a beechhead for a new wave of supply chain attacks.

Simply put, some “revival” packages are run entirely in bad faith, giving cybercriminals a vehicle to extract malware under the guise of “security updates” or “feature improvements.”

Attackers don’t necessarily target any specific user of the package they compromise – often, they just watch and wait to see if someone reads their package for the top-end-switch …

… At which point they have a way of targeting users or companies that do.