Researchers have unraveled a series of malicious Python packages in the official third-party software repository that are engineered to draw out AWS credentials and environment variables onto a publicly exposed endpoint.
According to Sonatype security researcher Ax Sharma, some of the packages include loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils. Both the packages and the endpoints have now been taken down.
“Some of these packages either contain code that reads and exfiltrates your secrets or use one of the dependencies that will do the job,” Sharma said.
The malicious code injected into “loglib-modules” and “pygrata-utils” enable the packages to obtain AWS credentials, network interface information, and environment variables and export them to a remote endpoint.
These endpoints hosting this information via hundreds of .TXT files were not secured by any authentication barrier, thus allowing any party on the web to obtain these credentials.
“Were the stolen credentials being intentionally exposed on the web or a consequence of poor OPSEC practices?Should this be some kind of legitimate security testing, there surely isn’t much information at this time to rule out the suspicious nature of this activity,” Sharma said.
A Turkey-based security researcher, Yunus Aydın, has claimed responsibility for the unauthorized changes, stating he merely wanted to “show how this simple attack affects +10M users and companies.”
Incidentally, Code White, a German penetration testing company, claimed responsibility for uploading malicious packages to the NPM registry, attempting to realistically mimic dependency confusion attacks aimed at its customers in the country, most of whom are big media, logistics, and industrial firms.