Researchers discovered multiple Python packages in the official PyPI repository that have been developed to steal AWS secrets and uploaded them to a publicly exposed endpoint.
The malicious packages, which were reported to PyPI, are:
- loglib-modules
- pyg-modules
- pygrata
- pygrata-utils
- hkg-sol-utils
After notified to PyPI, the packages and the endpoint have now been taken down.
The analysis of the loglib-modules and pygrata-utils packages revealed the presence of malicious code to steal AWS credentials and metadata and upload them to one or more endpoints hosted on the PyGrata domain: hxxp://graph.pygrata[.]com:8000/upload
The stolen data were exposed on the in the form of hundreds of .TXT files publicly available.
The malicious package ‘loglib-modules’ had already been yanked at the time of our discovery, but was restored the following day by its maintainer prompting us to notify PyPI again
Whereas, ‘loglib-modules’ and ‘pygrata-utils’ contain malicious code shown above that steals secrets, packages like ‘pygrata’ simply use one of these packages as a dependency
The identity of the threat actor is still unknown and their motivation is not known.
This research and documentation was done by researchers from Sonatype firm
