PyPi Python Packages Caught Sending Stolen AWS Keys to Unsecured Sites

upstart writes:

Multiple malicious Python packages available on the PyPI repository were caught stealing sensitive information like AWS credentials and transmitting it to publicly exposed endpoints accessible by anyone:

PyPI is a repository of open-source packages that software developers use to pick the building blocks of their Python-based projects or share their work with the community.

While PyPI is usually quick to respond to reports of malicious packages on the platform, there's no real vetting before submission, so dangerous packages may lurk there for a while.

Software supply-chain security companies like Sonatype use specialized automated malware detection tools to spot them, and in this case, they identified the following packages as malicious:

• loglib-modules
• pyg-modules
• pygrata
• pygrata-utils
• hkg-sol-utils

While the first two packages attempt to mimic legitimate and popular projects on PyPI to trick careless or inexperienced users to install them and the other three don't have apparent targeting, all five feature code similarities or connections.

[...] Since these malicious packages aren't using typosquatting tricks, they're not randomly targeting developers who mistyped a character but users looking for specific tools for their projects.

Software developers are advised to go beyond package names and scrutinize release histories, upload dates, homepage links, package descriptions, and download numbers, all collectively helping determine if a Python package is the real deal or a dangerous fake.

Original Submission

Read more of this story at SoylentNews.