Skip to Content

Python Packages Upload Your AWS Keys, env vars, Secrets to the Web

Posted on October 31, 2022 by

Categories: AWS


This past week, Sonatype found several Python packages that not only exfiltrate your secrets (AWS credentials and environment variables) but also upload them to a publicly available URL.

Sonatype’s automatic malware detection mechanism, accessible as part of Nexus platform products like Nexus Firewall, uncovered these packages. After additional investigation, we decided these packages were harmful and sent a bug complaint to PyPI.

There are two malicious packages, sonatype-2022-3475 and sonatype-2022-3546.

It looks like log lib-modules are aimed at programmers already acquainted with the official ‘loglib’ library.
The intended audience for pig-modules looks to be programmers who are already acquainted with the official ‘pyg’ library.
unknown target (pygrata)

Python grata utilities (pygrata-utils): possible attack vector; includes the same malicious malware as ‘log lib-modules.

Some of these packages either contain code that reads and exfiltrates your secrets or utilize one of the dependencies that will perform the job, according to an analysis by Sonatype security experts Jorge Cardona and Carlos Fernández.

A sample of the malicious code found in packages like “loglib-modules” and “pygrata-utils” is seen below.

Line 21 contacts a 169.254 IP address, which is part of the link-local IP range and is utilized by Amazon EC2 instances to supply the EC2 Instance Metadata Service.

It is healthy knowledge that EC2 cloud instance-specific IAM role information may be retrieved at the URL ‘hxxp:/169.254.169[. ]254/latest/meta-data/iam/security-credentials/’.

Lines 22–26 investigate the AWS credentials, network interface details, and environment variables.

We weren’t immediately sure about the intent of using the PyGrata[.]com domain or the names of some of the malicious packages (pygrata-utils).

Our analysts found that the endpoints collecting these credentials were making this information publicly available on the web. Advancing one directory level revealed thousands of TXT files, many of which were redacted below, including confidential information and trade secrets.

While this activity certainly raises red flags, we wanted to rule out the possibility of ethical red team testing and sought out the proprietors of the ‘pygrata[. ]com’ domain to gain insight into what was going on.

However, once we emailed the domain owners, the endpoint that had been publicly leaking TXT files began stalling out, suggesting that it had been secured. Even if certain parts of the mysterious PyGrata domain are still accessible as of this writing:

Although the malicious package log lib-modules had been removed from PyPI at the time of our discovery, its maintainer reinstated it the next day, causing us to warn the repository once more:

Packages like ‘pygrata’ only make use of one of the packages that include the aforementioned malicious code to collect secrets. However, ‘loglib-modules’ and ‘pygrata-utils’ are dependencies for both of these packages.

So, because the problematic packages ‘pygrata-utils’ have been removed from the PyPI registry after our submission to PyPI, there isn’t much that the current versions of ‘pygrata’ can accomplish:

Who is behind these packages and what they are trying to achieve is still a mystery.

The developers who would benefit from the log lib-modules Python package are those who use glib. Whereas what about PyGrata and its fields? Who are these aimed at harming?

Were the disclosed credentials a result of inadequate opsec procedures or deliberate exposure? There isn’t much evidence to dispel the suspicion that this isn’t malicious conduct, even if it is genuine security testing.

Sonatype was so concerned about the safety of their users that they notified the PyPI security team about the potentially dangerous packages, including pygrata-utils and pygrata.

Users of the Nexus Firewall continue to be safe.

This finding comes after we reported several hundred harmful packages the previous week, one of which was the npm package flame-vali, which made several attempts to deactivate Windows Defender before releasing a trojan.

In the face of persistent threats like the ones we’ve already covered, Sonatype has been, and will continue to be, at the forefront of identifying and reporting assaults on OSS developers.

Users may rest easy knowing that harmful packages are being prevented from reaching their development builds by Nexus Firewall.

U-cofx0-oAHuk7B8hQ 0YBbx7E9LQSW04uag5iP4Q7mdyUWkjohGvAiYYykP8LnvXzbz7CUADYOIt3X4KVAozG7Sxz7PFEffVVl TP2LufuKfXcPzVvjvk3Br IPtFK9776-HbUE

Safeguarding your software supply chain from the start, Nexus Firewall instances will isolate any suspect components identified by our automated malware detection algorithms pending a manual evaluation by a researcher.

Protect your developers, consumers, and software supply chain against malware using Sonatype’s world-class security research data and automated malware detection technologies.