This week in malware, highlights include malicious Python packages that not only exfiltrate your secrets — AWS credentials and environment variables but rather upload these to a publicly exposed endpoint. Also stated below are some more dependency confusion packages caught by us.
Python packages upload your AWS keys, env vars to the web
Multiple Python packages caught by Sonatype this month upload your AWS credentials and environment variables to a publicly exposed endpoint.
These malicious packages, assigned sonatype-2022-3475 and sonatype-2022-3546 are:
- loglib-modules — appears to target developers familiar with the legitimate 'loglib library.
- pyg-modules — appears to target developers familiar with the legitimate 'pyg' library.
- pygrata — unknown target
- pygrata-utils — unknown target; contains identical malicious code to that seen in 'loglib-modules'
- hkg-sol-utils — unknown target
Analyzed by Sonatype security researchers Jorge Cardona and Carlos Fernández, some of these packages either contain code that reads and exfiltrates your secrets or use one of the dependencies that will do the job.
Read the dedicated blog post on the topic to learn more.
Dependency confusion packages
This week's dependency confusion findings include npm packages:
cvent-web-components
dapp-inter
dapp-inter-agservers
dapp-inter-ui
megaman0072
Sonatype Repository Firewall users remain protected
This discovery follows our last week's report of several dozen malicious packages including npm package 'flame-vali' that attempted to disable Windows Defender multiple times before dropping a trojan.
Sonatype remains at the forefront of timely discoveries and reporting attacks targeting OSS developers, like the ones discussed above.
Users of Sonatype Repository Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.
Sonatype Repository Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in the works, thereby keeping your software supply chain protected from the start.
Sonatype's world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.
