March 22, 2023

Researchers discovered multiple Python packages in the official PyPI repository that have been developed to steal AWS secrets and uploaded them to a publicly exposed endpoint.

The malicious packages, which were reported to PyPI, are:

  • loglib-modules
  • pyg-modules
  • pygrata 
  • pygrata-utils
  • hkg-sol-utils

After notified to PyPI, the packages and the endpoint have now been taken down.

Advertisements

The analysis of the loglib-modules and pygrata-utils packages revealed the presence of malicious code to steal AWS credentials and metadata and upload them to one or more endpoints hosted on the PyGrata domain: hxxp://graph.pygrata[.]com:8000/upload

The stolen data were exposed on the in the form of hundreds of .TXT files publicly available.

The malicious package ‘loglib-modules’ had already been yanked at the time of our discovery, but was restored the following day by its maintainer prompting us to notify PyPI again

Whereas, ‘loglib-modules’ and ‘pygrata-utils’ contain malicious code shown above that steals secrets, packages like ‘pygrata’ simply use one of these packages as a dependency

The identity of the threat actor is still unknown and their motivation is not known.

Advertisements

This research and documentation was done by researchers from Sonatype firm

Tags:

Leave a Reply

You may have missed

Mandiant Report – Nation State Zero Day Exploits in 2022

Mandiant Report – Nation State Zero Day Exploits in 2022

March 22, 2023
Mispadu Banking Trojan

Mispadu Banking Trojan

March 22, 2023
DotRunpeX – Malware Injector Spreads in Wild

DotRunpeX – Malware Injector Spreads in Wild

March 21, 2023
Killnet Targets Healthcare Azure Resources

Killnet Targets Healthcare Azure Resources

March 21, 2023
NBA suffers a Data Breach – Third Party Provider Data Stolen

NBA suffers a Data Breach – Third Party Provider Data Stolen

March 21, 2023
Ferrari – Cyber Attack Ransom Demanded

Ferrari – Cyber Attack Ransom Demanded

March 21, 2023
%d bloggers like this: