AWS credentials exfiltrated by compromised PyPi package, PHP library

Threat actors have hijacked the PyPi package dubbed "ctx" and the "phpass" PHP package to facilitate AWS credential exfiltration, reports The Hacker News. Both of the compromised packages have long been stagnant in their respective repositories, with ctx last published in December 2014 and phpass last updated in August 2012, a report from the SANS Internet Storm Center showed. Both packages have been altered to enable storage of stolen AWS credentials in the 'anti-theft-web.herokuapp[.]com.' URL, according to SANS ISC's Yee Ching. "It appears that the perpetrator is trying to obtain all the environment variables, encode them in Base64, and forward the data to a web app under the perpetrator's control," said Ching. Unauthorized maintainer account access may have been leveraged by attackers to allow the publishing of the new ctx version. "With control over the original domain name, creating a corresponding email to receive a password reset email would be trivial. After gaining access to the account, the perpetrator could remove the old package and upload the new backdoored versions," Ching added.