Malicious Python library CTX removed from PyPI repo

A suspicious developer appears to have performed a domain hijack to take over the original project

A malicious and potentially hijacked Python package, CTX, has been removed from the Python Package Index (PyPI) repository after social media users alerted the team to its presence.

On May 24, Indian hacker Somdev Sangwan alerted developers on Twitter to a potential security issue impacting Python’s CTX library. In a tweet, Sangwan said:

Python’s CTX library and a fork of PHP’s phpass have been compromised. Three million users combined. The malicious code sends all the environment variables to a Heroku app, likely to mine AWS credentials.

Environmental variables can also include other forms of credentials and API keys.

The researcher was first made aware of the problematic package on a Reddit thread.

Malicious update

On May 22, a Reddit user with the moniker SocketPuppets said there had been a new update to CTX, a project hosted on both GitHub and PyPI.

The GitHub repository for the original project, designed for simple dictionary item queries using dot notation software for Python, has not been updated for roughly eight years.

“The OP [original poster] said it was recently updated, and on PyPI it was updated as of May 21,” Sangwan noted. “But the GitHub repo does not reflect any changes.”

DON’T MISS Critical Argo CD vulnerability could allow attackers admin privileges

He was not the only one to question the update. On the Reddit thread, users queried why environmental variables were sent to a URL – https://web.herokuapp.com/hacked – after examining the open source project’s source code and why the GitHub repository had not been updated.

SocketPuppets said: “I created a new company account and repository for new versions so the source will be totally changed.”

SockPuppets’ post history leads to a Medium blog and contact details potentially linking them to other GitHub repositories under the name ‘aydinnyunuss’.

As noted by Reddit user ‘antipsychosis’, the GitHub account belonging to this name, apparently belonging to a developer/student from Istanbul’s Commerce University, is the creator of GateCracker. This software also pings requests to Heroku apps.

Expired domain

The individual responsible for uploading the malicious package to PyPI exploited an expired domain, purchased the name, and then obtained ownership of the email address registered to the original repository.

In other words, they did so to send a password retrieval email to themselves and masquerade as the original project maintainer.

Sangwan also found evidence of a phpass compromise. In total, the impacted packages have been downloaded an estimated three million times, but only users who have downloaded them within the last week or so appear to be impacted.

Read more of the latest news about secure development

The CTX package, as well as other impacted libraries, have since been removed from the repository.

The Python Foundation told The Daily Swig that the compromise “was of a single user account due to re-registration over an expired domain.

“The domain that hosted the users email address was re-registered 2022-05-14T18:40:05Z and a password reset completed successfully for the user at 2022-05-14T18:52:40Z,” the organization added. “Original releases were then deleted and malicious copies uploaded.”

PyPI itself was not directly compromised.

In a subsequent write-up, the foundation noted that users who installed the CTX package between May 14 and May 24, 2022 were impacted. If user environment variables contain sensitive data, the organization advises the rotation of passwords and keys.

SocketPuppets/aydinnyunuss has not responded to requests for comment.

The Daily Swig has reached out to the CTX project maintainers and we will update if and when we hear back.

RECOMMENDED DBIR 2022: Ransomware surge increases global data breach woes