Multi-Backdoored Python Libraries Found Stealing AWS Secrets and Keys

Researchers have unraveled a series of malicious Python packages in the official third-party software repository that are engineered to draw out AWS credentials and environment variables onto a publicly exposed endpoint.

According to Sonatype security researcher Ax Sharma, some of the packages include loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils. Both the packages and the endpoints have now been taken down.

“Some of these packages either contain code that reads and exfiltrates your secrets or use one of the dependencies that will do the job,” Sharma said.

The malicious code injected into “loglib-modules” and “pygrata-utils” enable the packages to obtain AWS credentials, network interface information, and environment variables and export them to a remote endpoint.

These endpoints hosting this information via hundreds of .TXT files were not secured by any authentication barrier, thus allowing any party on the web to obtain these credentials.

“Were the stolen credentials being intentionally exposed on the web or a consequence of poor OPSEC practices?Should this be some kind of legitimate security testing, there surely isn’t much information at this time to rule out the suspicious nature of this activity,” Sharma said. 

A Turkey-based security researcher, Yunus Aydın, has claimed responsibility for the unauthorized changes, stating he merely wanted to “show how this simple attack affects +10M users and companies.”

Incidentally, Code White, a German penetration testing company, claimed responsibility for uploading malicious packages to the NPM registry, attempting to realistically mimic dependency confusion attacks aimed at its customers in the country, most of whom are big media, logistics, and industrial firms.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web