Malicious Python packages dump your AWS secrets online

Data Breach
(Image credit: Shutterstock)

Multiple malicious Python packages leaking sensitive user information have been uncovered by security experts.

In a blog post, Sonatype security researcher Ax Sharma says the packages: loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils, were exfiltrating people’s secrets, such as AWS credentials and environment variables, and uploading them to a publicly exposed endpoint.

Some, as their names would suggest, were targeting developers familiar with the loglib and pyg libraries, while others have unknown targets. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

<a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" target="_blank">Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the <a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" data-link-merchant="polls.futureplc.com"" target="_blank">end of this survey to get the bookazine, worth $10.99/£10.99.

Unknown attackers

We don’t know exactly how many people have had their data exposed, although Sharma said the researchers found “hundreds of TXT files containing sensitive information and secrets”.

To rule out the possibility of a security team doing research, Sonatype reached out to the owners of pygrata[.]com but never heard back. Soon after, the endpoint that was leaking the TXT files timed out, which made the researchers think someone must have shut it down. Furthermore, loglib-modules was quickly pulled from the web, albeit briefly.

Sonatype did not manage to discover who the threat actor behind the attack is, or what their ultimate goal was. 

“Were the stolen credentials being intentionally exposed on the web or a consequence of poor opsec practices?”, Sharma asks. “Should this be some kind of legitimate security testing, there surely isn't much information at this time to rule out the suspicious nature of this activity.”

Soon after reporting all of the problematic packages to the PyPI security team, they were all taken down, the company concluded.

Every now and then researchers discover malicious packages on open source repositories. Earlier this year, researchers found two Python and PHP packages (ctx and phpass), which essentially worked like trojans. It was later discovered that a Turkish security researcher Yunus Aydin was behind the two packages, as a demonstration of “how this simple attack affects +10M users and companies.”

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.