Blog
The discovery of two trojanized Python and PHP packages reveals yet another instance of a program source chain assault aimed at the open-source environment. "Ctx," a Python module available in the PyPi library, is one of the affected packages. The other is "phpass," a PHP bundle forked on GitHub to disseminate a rogue update.
In both circumstances, the hacker appears to have taken advantage of expired offers, according to the SANS Internet Storm Center (ISC). Ctx was last published to PyPi on December 19, 2014, while phpass has not received an update since its submission to Packagist on August 31, 2012.
PyPi removed from the repository
The malicious Python package deal uploaded to PyPi on May 21, 2022, has been removed from the repository. However, the PHP library is still available on GitHub. The hacker(s) designed the updates to send AWS credentials to a Heroku URL called anti-theft-web.Heroku app [.] com. "It looks like the perpetrator hopes to obtain all of the environment variables, encode them in Base64, and transfer the data to a web app under the perpetrator's control," Ching (an ISC volunteer incident handler) explained.
The attacker gained unauthorized access to the maintainer's account to publish the new ctx variant. Further research revealed that the threat actor registered the expiring domain utilized by the initial maintainer on May 14, 2022. "With authority over the original domain name, it would be straightforward to create a corresponding email to receive a password reset email," Ching added. "Once the offender had access to the account, he or she could delete the old package and upload the new back door versions."
On May 10, 2022, security consultant Lance Vick revealed how to purchase lapsed NPM maintainer email domains and then use them to re-create maintainer emails and assume control of the packages. "With control over the original domain title, sending a password reset email would be easy," Ching explained. "With access to the account, the criminal might delete the previous packages and replace them with the backdoored versions." Security consultant Lance Vick disclosed how to obtain lapsed NPM maintainer email addresses and use them to re-create maintainer emails and take control of packages in May of 2022.
A metadata analysis of 1.63 million JavaScript NPM deals performed by academics from Microsoft and North Carolina State University uncovered 2,818 maintainer email addresses associated with expired domains, effectively allowing an attacker to hijack 8,494 offers circumventing the NPM accounts. "In general, any domain name can be purchased from a domain registrar, allowing the purchaser to connect to an email hosting service to obtain a personalized email address," the scientists explained. "An attacker can hijack a user's domain to access an account associated with that email address."
"It appears that the PHPass breach occurred because the owner of the package source 'HauteLook' cancelled his account, and then the attacker claimed the username,” the researchers claimed. Public open source code repositories such as Maven, NPM, Packages, PyPi, and RubyGems are a vital part of the software supply chain many enterprises rely on to develop applications. On the other hand, this has made them a desirable target for many attackers looking to distribute malware. The methods include typo squatting, dependency misunderstanding, and account takeover attacks, which hackers might use to transmit fake versions of actual packages, resulting in massive supply-chain compromises.
Conclusion
Developers blindly trust repositories and install packages from these sources, assuming they are secure. Threat actors are using these repositories as a malware distribution vector and successfully launching attacks on both developer and CI/CD machines in the pipeline. Enforcing a zero-trust policy across your environment and assessing its security preparedness by performing regular penetration testing can help improve your security posture and help avoid issues like this.