It turned out that the recent compromise of the ctx and phppass packages, which stole environment variables in search of credentials and keys from Amazon AWS, was a demonstration of an attack and the author of this “research” did not plan any malicious actions.
Let me remind you that the suspicious behavior of ctx and phppass became known earlier this week. First, a compromised ctx package was seen in the PyPI repository, which is downloaded more than 20,000 times a week.The malicious version was stealing environment variables in search of credentials and keys from Amazon AWS. Then it turned out that the popular PHP library phpass was also compromised, forks of which stole secrets in a similar way, loading them into the same Heroku endpoint.
Let me remind you that we reported that Spammers attack PyPI and GitLab repositories.
Yunus Aydın
Istanbul-based researcher Yunus Aydın, who uses the nickname SockPuppets, was behind the campaign, Bleeping Computer now reports. He argues that the compromise of ctx and phppass was only a proof-of-concept (PoC) for the bug bounty, and the theft of AWS tokens was necessary to demonstrate the “maximum impact” of the exploit. And although Aidin claims that this is an “ethical study”, the victims of his activity clearly perceived what happened very differently.
Journalists note that typically bug bounty exploits targeting open-source libraries use simple code, such as typing “you’ve been hacked!” on the target system, or stealing some basic information, such as the user’s IP address, hostname, and working directory. Later, this data can be used by the researcher as evidence of a hack to receive a reward. However, stealing environment variables and credentials from AWS is hardly “ethical”.
Aidin also explained how he was able to become the owner of ctx. This was due to the expiration of the original author’s domain. Aidin used the bot to bypass various open-source registries and extract the email addresses of the maintainers listed for each of the packages. When the bot found an email address that used an expired custom domain name, Aidin was notified.
The ctx package has not been touched for years and was originally published to PyPI using figlief@figlief.com. When Aidin found out that this domain was no longer valid, he bought it, was able to create the same email address again, initiated a password reset, and took control of the package.
When journalists asked the researcher if he received a reward for his research, Aidin replied that HackerOne closed his report as a duplicate. Also, some users noticed that after the news about the compromise of ctx and phppass, Aidin seemed to be trying to reduce his presence on the Internet: his site sockpuppets.ninja (archived version) stopped working, and his profile on BugCrowd is no longer available.
However, the researcher himself assures that the site is simply on a free hosting and has exceeded the limit of visits due to the great interest in report.
