• Latest
  • Trending
Popular PyPI and PHP libraries hijacked to steal AWS keys

Popular PyPI and PHP libraries hijacked to steal AWS keys

May 24, 2022
Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025
ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023
Vice President Dr. Bawumia inaugurates  ICT Hub

Vice President Dr. Bawumia inaugurates ICT Hub

April 2, 2023
Co-Creation Hub’s edtech accelerator puts $15M towards African startups

Co-Creation Hub’s edtech accelerator puts $15M towards African startups

February 20, 2023
Data Leak Hits Thousands of NHS Workers

Data Leak Hits Thousands of NHS Workers

February 20, 2023
EU Cybersecurity Agency Warns Against Chinese APTs

EU Cybersecurity Agency Warns Against Chinese APTs

February 20, 2023
How Your Storage System Will Still Be Viable in 5 Years’ Time?

How Your Storage System Will Still Be Viable in 5 Years’ Time?

February 20, 2023
The Broken Promises From Cybersecurity Vendors

Cloud Infrastructure Used By WIP26 For Espionage Attacks on Telcos

February 20, 2023
Instagram and Facebook to get paid-for verification

Instagram and Facebook to get paid-for verification

February 20, 2023
YouTube CEO Susan Wojcicki steps down after nine years

YouTube CEO Susan Wojcicki steps down after nine years

February 20, 2023
Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
  • Consumer Watch
  • Kids Page
  • Directory
  • Events
  • Reviews
Friday, 17 July, 2026
  • Login
itechnewsonline.com
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion
Subscription
Advertise
No Result
View All Result
itechnewsonline.com
No Result
View All Result

Popular PyPI and PHP libraries hijacked to steal AWS keys

by ITECHNEWS
May 24, 2022
in Infosec, Leading Stories
0 0
0
Popular PyPI and PHP libraries hijacked to steal AWS keys

PyPI module ‘ctx’ that gets downloaded over 20,000 times a week has been compromised in a software supply chain attack with malicious versions stealing the developer’s environment variables.

The threat actor even replaced the older, safe versions of ‘ctx’ with code that exfiltrates the developer’s environment variables, to collect secrets like Amazon AWS keys and credentials.

YOU MAY ALSO LIKE

French Telco Orange Hit by Cyber-Attack

ATC Ghana supports Girls-In-ICT Program

Additionally, versions of a ‘phpass’ fork published to the PHP/Composer package repository Packagist had been altered to steal secrets in a similar fashion.

PHPass framework has incurred over 2.5 million downloads on the Packagist repository over its lifetime—although the downloads for malicious versions are believed to be far more limited.

Python library ‘ctx’ uploads secrets to a Heroku endpoint

Heavily downloaded PyPI package ‘ctx’ has been compromised this week with newly published versions exfiltrating your environment variables to an external server.

‘ctx’ is a minimal Python module that lets developers manipulate their dictionary (‘dict’) objects in a variety of ways. The package, although popular, had not been touched since 2014 by its developer, as seen by BleepingComputer. However, newer versions emerged this week that contained malicious code:

PyPI package ctx republished after years
PyPI package ‘ctx’ republished after years of inactivity (BleepingComputer)

A Reddit user jimtk first took notice of the compromised ‘ctx’ package.

Ethical hacker Somdev Sangwan further reported PHP package ‘phpass’ having been compromised with the tainted versions of the library stealing developer’s AWS secret keys:

These claims were vetted by the Sonatype security research team that I am a part of.

Although PyPI has taken down the malicious ‘ctx’ versions as of a few hours ago, copies retrieved from Sonatype’s malware archives show presence of malicious code within all ‘ctx’ versions. Of note is, the 0.1.2 version that hadn’t been touched since 2014 was also replaced this week with malicious payload:

Malicious code within ctx
Malicious code within ‘ctx’ (BleepingComputer)

Once installed, these versions gather all your environment variables and upload these values to the following Heroku endpoint:

https://anti-theft-web.herokuapp[.]com/hacked/

At the time of our analysis, the endpoint was no longer active.

PHP package ‘phpass’ altered to steal AWS credentials

In an identical attack, the fork of an immensely popular Composer/PHP package, ‘hautelook/phpass’ was compromised with malicious versions published to the Packagist repository.

PHPass is an open source password hashing framework that can be used by developers in PHP applications. Released in 2005, the framework has been downloaded over 2.5 million times on Packagist over its lifetime.

BleepingCompuer also observed malicious commits made to the PHPass project this week that steal environment variables in a similar fashion.

Within PHPass, the altered ‘PasswordHash.php’ file specifically looks for the ‘AWS_ACCESS_KEY’ and ‘AWS_SECRET_KEY’ values in your environment. These secrets are then uploaded to the same Heroku endpoint.

Malicious commits made to PHPass
Malicious commits made to PHPass (BleepingComputer)

The presence of identical logic and Heroku endpoints within the PyPI and PHP packages indicate a common threat actor being responsible for both of these hijacks.

Researchers claim the attacker’s identity is obvious. However, this could’ve been a PoC exercise gone wrong and until more information comes to light, it would be irresponsible to name the person behind ‘ctx’ and ‘phpass’ hijack just yet.

Also, while the malicious PyPI package ‘ctx’ was live until later today, the impact from malicious ‘PHPass’ versions appears to have been far more limited after Packagist’s co-founder Jordi Boggiano marked the hijacked repository as “abandoned” and pointed everyone to use bordoni/phpass instead:

It is purported that a maintainer account compromise led to the hijacking of PyPI package ‘ctx’ but we are yet to find out the real cause.

But, the compromise of hautepass/phpass has been attributed to the attacker claiming a previously abandoned GitHub repository and reviving that repository to publish altered ‘phpass’ versions to the Packagist registry.

This type of attack has earlier been called repo jacking by cybersecurity firm Security Innovation. More recently, Intezer and Checkmarx released a joint report building on this research and how it could impact Go projects, dubbing the attack “chainjacking.”

This hijacking incident follows our recent report of a PyPI typosquat that was caught launching backdoors on Windows, Linux, and Macs.

Earlier this year, vastly popular npm libraries, ua-parser-js, ‘coa’ and ‘rc’ had been hijacked to serve crypto miners and credential stealers.

Following these attacks, GitHub mandated two-factor authentication for maintainers of Top 100 npm packages, and announced additional security enhancements.

The ongoing trend of threat actors and bug bounty hunters finding novel tactics to infiltrate the software supply chain could very well prompt administrators of other software registries to introduce similar enhancements.

Source: Ax Sharma
Via: bleepingcomputer
Tags: Popular PyPI and PHP libraries hijacked to steal AWS keys
ShareTweet

Get real time update about this post categories directly on your device, subscribe now.

Unsubscribe

Search

No Result
View All Result

Recent News

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025
ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023

About What We Do

itechnewsonline.com

We bring you the best Premium Tech News.

Recent News With Image

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025

Recent News

  • Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa July 29, 2025
  • French Telco Orange Hit by Cyber-Attack July 29, 2025
  • ATC Ghana supports Girls-In-ICT Program April 25, 2023
  • Vice President Dr. Bawumia inaugurates ICT Hub April 2, 2023
  • Home
  • InfoSec
  • Opinion
  • Africa Tech
  • Data Storage

© Copyright 2026, All Rights Reserved | iTechNewsOnline.Com - Powered by BackUPDataSystems

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

No Result
View All Result
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion

© Copyright 2026, All Rights Reserved | iTechNewsOnline.Com - Powered by BackUPDataSystems

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
Go to mobile version