Multiple malicious Python packages leaking sensitive user information have been uncovered by security experts.
In a blog post, Sonatype security researcher Ax Sharma says the packages: loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils, were exfiltrating people’s secrets, such as AWS credentials and environment variables, and uploading them to a publicly exposed endpoint.
Some, as their names would suggest, were targeting developers familiar with the loglib and pyg libraries, while others have unknown targets.
Unknown attackers
We don’t know exactly how many people have had their data exposed, although Sharma said the researchers found “hundreds of TXT files containing sensitive information and secrets”.
To rule out the possibility of a security team doing research, Sonatype reached out to the owners of pygrata[.]com but never heard back. Soon after, the endpoint that was leaking the TXT files timed out, which made the researchers think someone must have shut it down. Furthermore, loglib-modules was quickly pulled from the web, albeit briefly.
Sonatype did not manage to discover who the threat actor behind the attack is, or what their ultimate goal was.
“Were the stolen credentials being intentionally exposed on the web or a consequence of poor opsec practices?”, Sharma asks. “Should this be some kind of legitimate security testing, there surely isn't much information at this time to rule out the suspicious nature of this activity.”
Soon after reporting all of the problematic packages to the PyPI security team, they were all taken down, the company concluded.
Every now and then researchers discover malicious packages on open source repositories. Earlier this year, researchers found two Python and PHP packages (ctx and phpass), which essentially worked like trojans. It was later discovered that a Turkish security researcher Yunus Aydin was behind the two packages, as a demonstration of “how this simple attack affects +10M users and companies.”
