September 23, 2023

Researchers discovered multiple Python packages in the official PyPI repository that have been developed to steal AWS secrets and uploaded them to a publicly exposed endpoint.

The malicious packages, which were reported to PyPI, are:

  • loglib-modules
  • pyg-modules
  • pygrata 
  • pygrata-utils
  • hkg-sol-utils

After notified to PyPI, the packages and the endpoint have now been taken down.

Advertisements

The analysis of the loglib-modules and pygrata-utils packages revealed the presence of malicious code to steal AWS credentials and metadata and upload them to one or more endpoints hosted on the PyGrata domain: hxxp://graph.pygrata[.]com:8000/upload

The stolen data were exposed on the in the form of hundreds of .TXT files publicly available.

The malicious package ‘loglib-modules’ had already been yanked at the time of our discovery, but was restored the following day by its maintainer prompting us to notify PyPI again

Whereas, ‘loglib-modules’ and ‘pygrata-utils’ contain malicious code shown above that steals secrets, packages like ‘pygrata’ simply use one of these packages as a dependency

The identity of the threat actor is still unknown and their motivation is not known.

Advertisements

This research and documentation was done by researchers from Sonatype firm

Leave a Reply

%d bloggers like this: