Go to listing page

PyPi Packages Caught Stealing and Making AWS Keys and More Public

PyPi Packages Caught Stealing and Making AWS Keys and More Public
The PyPI repository has been identified to contain Python packages that look to be malicious and steal sensitive data before sending it to publicly exposed endpoints, accessible to anyone. The sensitive data includes AWS credentials and environment variables.
 

What has been found?

Usage of specialized automated malware detection tools by Software supply-chain security companies helped to spot the Python packages.
The following were identified as malicious packages:
  • loglib-modules
  • pyg-modules
  • pygrata
  • pygrata-utils
  • hkg-sol-utils
 

How do packages function?

  • The first two packages - loglib-modules, pyg-modules attempt to copy legitimate and popular projects on PyPI to fool lesser experienced users to install them.
  • The other three - pygrata, pygrata-utils, hkg-sol-utils don't have apparent targeting,  but all five codes have similarities or connections.
  • Packages 'loglib-modules' and 'pygrata-utils' were created for data exfiltration, snatching AWS credentials, network interface information, and environment variables.
  • 'pygrata' does not contain the data-stealing functionality by itself but requires 'pygrata-utils' as a dependency.
 

Where is the stolen data stored?

The stolen data is stored in TXT files and uploaded to a PyGrata[.]com domain. The endpoint though wasn't properly secured, hence leaving a loophole for the analysts to see what threat actors have stolen.

Conclusion

The availability of the Python packages on PyPI may have put a few users at serious risk. This is because their credentials were ultimately revealed, even if they were used for legitimate security testing and the operators never intended to utilize the stolen information.

The developers need to be wary of the release histories, upload dates, homepage URLs, package descriptions, and download counts should also be carefully examined in order to ascertain whether a Python program is genuine or a risky imitation.
Cyware Publisher

Publisher

Cyware