Malicious Python packages dump your AWS secrets online

Some were targeting developers familiar with the loglib and pyg libraries

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Multiple maliciousPythonpackages leaking sensitive user information have been uncovered by security experts.

In ablog post, Sonatype security researcher Ax Sharma says the packages: loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils, were exfiltrating people’s secrets, such as AWS credentials and environment variables, and uploading them to a publicly exposedendpoint.

Some, as their names would suggest, were targeting developers familiar with the loglib and pyg libraries, while others have unknown targets.

Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.

Unknown attackers

Unknown attackers

We don’t know exactly how many people have had theirdata exposed, although Sharma said the researchers found “hundreds of TXT files containing sensitive information and secrets”.

To rule out the possibility of a security team doing research, Sonatype reached out to the owners of pygrata[.]com but never heard back. Soon after, the endpoint that was leaking the TXT files timed out, which made the researchers think someone must have shut it down. Furthermore, loglib-modules was quickly pulled from the web, albeit briefly.

Sonatype did not manage to discover who the threat actor behind the attack is, or what their ultimate goal was.

This dangerous Android banking trojan is now available online for anyone to use>One of the most fearsome Android trojans around just got even nastier>New Trojan malware steals millions of login credentials

“Were the stolen credentials being intentionally exposed on thewebor a consequence of poor opsec practices?”, Sharma asks. “Should this be some kind of legitimate security testing, there surely isn’t much information at this time to rule out the suspicious nature of this activity.”

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Soon after reporting all of the problematic packages to the PyPI security team, they were all taken down, the company concluded.

Every now and then researchers discover malicious packages on open source repositories. Earlier this year, researchers found two Python and PHP packages (ctx and phpass), which essentially worked like trojans. It was later discovered that a Turkish security researcher Yunus Aydin was behind the two packages, as a demonstration of “how this simple attack affects +10M users and companies.”

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Google puts Nvidia on high alert as it showcases Trillium, its rival AI chip, while promising to bring H200 Tensor Core GPUs within days

A new form of macOS malware is being used by devious North Korean hackers

How to turn off Meta AI