Researchers have discovered the series of events that lead to the “ctx Python” library being seeded with code that sought to steal the AWS secret keys of anyone who included it in their projects.
According to SANS, the poisoned code was a supply chain attack prompted by the theft of the pypi.org account of the ctx Python developer that stemmed from letting an unused domain expire.
The attack began when users noticed that the Python library, which didn’t have any update since December 2014, was unexpectedly updated on May 21. On a suspicious note, researchers began to examine the code and check for what exactly had changed in the ctx Python library. The results uncovered was a snippet of code that searched the host machine for AWS secret keys.
This is particularly dangerous in the case of developers, who will routinely have administrator access to AWS databases containing sensitive company information. A developer could expose their secret keys without even directly accessing the modified code and seeing an update.
After some in-depth analysis, the researcher was able to trace the attack back to a source- an expired domain. The researcher found that the domain was active between 2014 and May of this year, the developer who originally created ctx Python lost control of the domain they had used to register their GitHub account.
With the domain expired, it appears the attacker was able to take over control of the domain, establish the email account and use it to reset the developer’s GitHub password. After which, the attacker was able to access the developer’s original projects and slip malicious code snippets into multiple projects. In addition to ctx Python, the attacker put bad code into a PHP code project called “phpass.”
The poisoned code is yet another instance of a supply chain attack being carried out by way of a compromised open-source library. Cybercriminals are increasingly looking to infiltrate the networks of multiple companies by infiltrating the developers who provide their software.
One of the best ways to do this is to target open-source libraries and repositories that developers rely on when building their software. As a result, the work of securing networks and corporate data falls not only on IT and security staff but on coders as well.
The malicious code has since been removed, and developers have been advised to check that they are not running the library.
This research was conducted by Yee Ching Tok aligned with SANS Institute.