The incident was investigated by Sonatype , SANS Institute and an independent researcher Two libraries were attacked, but only one of them could cause serious damage. Ctx had 22,000 downloads a week and was hacked on May 14. The latest update for the library was uploaded to the Python Package Index (PyPI) in December 2014. Having gained control of the library, the attackers uploaded their versions – 0.1.2 (the latest version of the original), 0.2.2 and 0.2.6, which include functionality for stealing and transferring data to hackers’ servers.
One of the versions was aimed at obtaining the AWS access key identifier, computer name and AWS secret access key when creating a dictionary. Another malicious version of ctx tried to get all the victim’s environment variables.
The second compromised library was PHPass, a portable PHP system for hashing passwords. The original PHPass was deleted in September 2021 along with the developer’s account, but the attackers were able to restore access to the project on GitHub.
At the moment, both hacked libraries have been removed. Experts recommend developers to check the versions of the recently downloaded ctx and PHPass packages and, if a malicious version is detected, immediately remove it from the device.