September 23, 2023

Researchers discovered multiple Python packages in the official PyPI repository that have been developed to steal AWS secrets and uploaded them to a publicly exposed endpoint.

The malicious packages, which were reported to PyPI, are:

  • loglib-modules
  • pyg-modules
  • pygrata 
  • pygrata-utils
  • hkg-sol-utils

After notified to PyPI, the packages and the endpoint have now been taken down.

Advertisements

The analysis of the loglib-modules and pygrata-utils packages revealed the presence of malicious code to steal AWS credentials and metadata and upload them to one or more endpoints hosted on the PyGrata domain: hxxp://graph.pygrata[.]com:8000/upload

The stolen data were exposed on the in the form of hundreds of .TXT files publicly available.

The malicious package ‘loglib-modules’ had already been yanked at the time of our discovery, but was restored the following day by its maintainer prompting us to notify PyPI again

Whereas, ‘loglib-modules’ and ‘pygrata-utils’ contain malicious code shown above that steals secrets, packages like ‘pygrata’ simply use one of these packages as a dependency

The identity of the threat actor is still unknown and their motivation is not known.

Advertisements

This research and documentation was done by researchers from Sonatype firm

Tags:

Leave a Reply

You may have missed

SandMan APT Group in action against Telcos

September 22, 2023

Gold Melody IAB Unsunging for Several Years

September 22, 2023

Apple fixes trio of Zeroday Exploits

September 22, 2023

T-Mobile and Data Breach tightly coupled

September 21, 2023

Cisco Acquires Splunk in a blockbuster deal

September 21, 2023

Atlassian BitBucket and Confluence Vulnerabilities

September 21, 2023
%d bloggers like this: