Google's Guide is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission.

AWS keys are being stolen from Python libraries


A couple of Python repositories have been taken over.

image credits: flipboard

Users should be cautious when a GitHub repository that hasn’t been modified in almost a decade suddenly receives a “update,” since it could be a hostile takeover with the goal of spreading infections (opens in new tab).

That’s what happened to the “ctx” PyPI module, which has reportedly received millions of downloads. Someone replaced the secure “ctx” code with an updated version earlier this month, following a software supply chain assault, that captures developer environment variables and collects secrets such as Amazon AWS keys and credentials.


Taking advantage of a repossessed vehicle

BleepingComputer was the first to notice the attack, which resulted in 20,000 downloads.

Versions of “phpass” that were released to the PHP/Composer package repository Packagist were also “updated” in the same way, in addition to “ctx.” This one has received millions of downloads as well.

CTX is a Python module that hasn’t been updated since 2014. The module was then updated eight years later, on May 15, with malicious code, as discovered by Reddit users and then validated by ethical hackers. PHPass, on the other hand, is an open-source password hashing system that has been downloaded over two million times since its introduction in 2005.


The malicious versions were taken down by PyPI a few hours after they were submitted to the repository, but the harm had already been done, according to reports. Researchers emphasised that the damage caused by PHPass was far less severe.

Researchers allege that both assaults were carried out by the same person, whose identification is “clear,” but they are not naming any names until more information is released.

Researchers have coined the term “repo jacking” (repository hijacking) to describe these attacks, and these are far from the first. Popular npm libraries ua-parser-js, coa, and rc were all were hacked earlier this year to provide bitcoin miners and data thieves to their users.


With the greatest firewalls available, you can keep track of all traffic coming in and out.

Leave a Comment