Updated on 2022-10-05
SonarSource researchers said they found a vulnerability in Packagist, the repository for the PHP Composer package installer, which could have allowed them to hijack the service’s backend and mount supply chain attacks against the service’s users. SonarSource said Packagist fixed the reported vulnerability “within hours” after their report. Read more: Securing Developer Tools: A New Supply Chain Attack on PHP
Overview: Python and PHP libraries hijacked to steal AWS keys
Developers had a very bad day on Tuesday after news broke that two very popular Python and PHP libraries got compromised after a threat actor gained access to their respective developers’ accounts and pushed new versions containing malicious code.
The incidents impacted the CTX Python library on PyPI and hautelook/PHPass PHP library on the Packagist portal. Both are very popular libraries with tens of thousands of weekly downloads, according to DevOps security firm Sonatype.
The code added to new versions of both libraries would collect environment details from a developer’s computer, such as AWS and other server passwords, and upload the data to a remote Heroku app, hosted at:
Because the exfiltration URL pointed to the same Heroku app, investigators believe both attacks were carried out by the same threat actor, who was most likely looking to collect AWS keys so they could hijack cloud resources and mine cryptocurrency.
Even if the security of supply chains for open source projects is nowhere near as good as some experts would want, the attack was detected rather quickly, mainly because both libraries were abandoned and did not receive any new versions in years, sparking concern for some of their more attentive users, some of which reported the rather unusual updates via Reddit.
The attack seems to have impacted Python developers more than PHP coders, as the hautelook/PHPass library had been abandoned and its releases deleted last September, so most devs had already moved to other libraries in the meantime.
Nevertheless, the incident did have a major impact in the Python community, where it was downloaded more than 27,000 times between May 14 and May 24, according to an IR report published by the Python security team on late Tuesday night.
The same report also concluded (and confirmed an ISC SANS report from earlier in the day) that the attacker gained access to the CTX developer account by identifying their email address and re-registering the email server domain after it had previously expired. This rather new account hijacking technique allowed the threat actor to reset the developer’s PyPI account password and then push the malicious versions two weeks ago.