Getty Images/iStockphoto

Developers targeted by poisoned Python library

A developer's expired domain led to a threat actor taking control of an open source library and poisoning it with malware that could steal private keys for AWS instances.

A routine instance of domain expiration kicked off a chain of events that could possibly be placing hundreds of companies at risk of massive data breach by way of a forgotten Python code library.

Researcher Yee Ching Tok with the SANS Institute unraveled the series of events that lead to the "ctx Python" library being seeded with code that sought to steal the AWS secret keys of anyone who included it in their projects.

The malicious code has since been removed, and developers have been advised to check that they are not running the library.

According to a SANS Internet Storm Center blog post by Tok published Tuesday, the poisoned code was a supply chain attack prompted by the theft of the pypi.org account of the ctx Python developer that stemmed from letting an unused domain expire.

The attack began when users noted that the Python library, which had gone without an update since December of 2014, was unexpectedly updated on May 21.

Suspecting that something was amiss, researchers began to examine the code and check for what exactly had changed in the ctx Python library. What Tok eventually uncovered was a snippet of code that searched the host machine for AWS secret keys.

This is particularly dangerous in the case of developers, who will routinely have administrator access to AWS databases containing sensitive company information. In this instance, a developer could expose their secret keys without even directly accessing the modified code and seeing an update.

"Many of these packages can be installed and updated by the well-known 'pip install' command," Tok explained. "However, many developers may take the updating and installation process for granted and may neglect to check what might have changed in the packages."

After some digging, Tok was able to trace the attack back to a seemingly unlikely source: an expired domain. The researcher found that sometime between 2014 and May of this year, the developer who originally created ctx Python lost control of the domain they had used to register their GitHub account.

With the domain expired, it appears the attacker was able to take over control of the domain, establish the email account and use it to reset the developer's GitHub password.

From there, the attacker was able to access the developer's original projects and slip malicious code snippets into multiple projects. In addition to ctx Python, the attacker put bad code into a PHP code project called "phpass."

Software security vendor Sonatype published a blog post Thursday on the compromises of the ctx Python and phpass libraries. "The GitHub repository of 'phpass' seen by us shows commits from 5 days ago that contain the same endpoint, as seen in compromised 'ctx' versions, indicating the attacks are related," the post said.

The poisoned code is yet another instance of a supply chain attack being carried out by way of a compromised open source library. Cybercriminals are increasingly looking to infiltrate the networks of multiple companies by infiltrating the developers who provide their software.

One of the best ways to do this is to target open source libraries and repositories that developers rely on when building their software. As a result, the work of securing networks and corporate data falls not only on IT and security staff, but on coders as well.

"With such an occurrence, it would be good for developers to closely scrutinize the packages that one uses for coding and verify that no extra features are lurking within the packages," Tok said. "This also highlights the importance of regularly checking source code, libraries and packages for irregularities, having a secure infrastructure for software development, and proper configuration management."

Dig Deeper on Application and platform security