Theft of AWS Credentials and Keys by Multiple-Backdoored Python Libraries

  • Home
  • Blog
  • Theft of AWS Credentials and Keys by Multiple-Backdoored Python Libraries
Theft of AWS Credentials and Keys by Multiple-Backdoored Python Libraries

Several malicious Python packages were caught stealing and identified by researchers. The PyPI repository is home to several suspicious Python packages. These packages have been found to steal confidential data such as AWS credentials and were sent openly to accessible endpoints.

According to a researcher, there were many packages, including loglib-modules, pyg-modules, and pygrata. These packages and their access points are no longer available now.

As per the researcher, the packages have definite codes that interpret and remove your secrets or may go for dependencies that would do the rest of the job. The code introduced into the packages enables the acquisition of AWS credentials. It also obtains network interface details and variables to transfer them to a remote endpoint.

Endpoint Security Risk

Many of these endpoints are used to host this information. Since TXT files also weren’t protected by any verification initiatives, anyone with access to the internet could acquire these credentials.

It’s important to know that packages including “pygrata” rely on one of the two previously mentioned modules rather than containing the code themselves. It is still unknown who the threat actor is and what drives them.

There were many queries. The researcher questioned, “Were the theft credentials intentionally made public on the internet, or was this a result of bad OPSEC practices? There isn’t enough information to exclude the possibility that this is a significant security test, even if it were.

History Of Previous Malicious Packages

It seems like another supply chain incident has affected the widely used Python module ‘ctx’ that is accessible within the PyPi repository.

It is not happening the first time. In open data repositories, the discovery of such malicious packages happened before too. A month ago, ctx and phpass were found in other application supply chain attacks.

Approximately 22,000 people download Ctx, a straightforward package that enables access to dictionary items through dot notation, each week. Whereas, The phpass is a PHP package that has a password hashing framework.

AWS Credentials

The unauthorized changes were made, according to a different researcher who is a security specialist based in Turkey. He declared he was only trying to tell how such a simple attack impacts more than 10M users and organizations.

Similar to it Code White, a German-based company, admitted that it is on the way to uploading malware packages. The company will post these to the registry of NPM in an effort to accurately recreate dependency confusion attacks aimed at its local clients, the vast majority of which are well-known media and industrial companies.

Final Thoughts

These malicious packages don’t employ cybersquatting techniques, the reason why they are at risk. They don’t randomly target programmers who typed a wrong character; instead, they reach people looking for particular tools for their developments.

Computer programmers should look further than package names and examine the published records, upload dates, main website links, package details, and download links.


Rogue Logics provides in-depth security services for the assessment and protection of your application, data, and infrastructure against potential threats on-prem or in the cloud. Want a consultation with the professionals at Rogue Logics? Contact us and get a free quote.