Python packages upload your AWS keys, environment variables, and secrets to the web

Last week, Sonatype discovered several Python packages that not only exfiltrate your secrets – AWS IDs and environment variables, but instead upload them to a publicly exposed endpoint.

These packages were discovered by Sonatype’s automated malware detection system, offered as part of the Nexus Platform products, including Nexus Firewall. Upon further investigation, we deemed these packages malicious and reported them to PyPI.

These malicious packages, affected sonatype-2022-3475 and sonatype-2022-3546 are:

Analyzed by Sonatype security researchers Jorge Cardona and carlos fernandezsome of these packages either contain code that reads and exfiltrates your secrets, or use one of the dependencies that will do the job.

For example, the ‘loglib-modules’ and ‘pygrata-utils’ packages contain malicious code, some of which is shown below.

Line 21 connects to an IP address 169.254, which belongs to the link-local IP address range and is used by Amazon EC2 instances to provide the EC2 instance metadata service.

The URL ‘hxxp://169.254.169[.]254/latest/meta-data/iam/security-credentials/’ is known to return IAM role information related to an EC2 cloud instance.

The following lines of code (lines 22-26) examine AWS credentials, network interface information, and environment variables.

The script then attempts to upload the collected credentials and metadata to one or more endpoints hosted on the PyGrata domain:

hxxp://graph.pygrata[.]com:8000/download

Using PyGrata[.]com and the names of some of the malicious packages (pygrata-utils) weren’t very clear to us as to their purpose.

Interestingly though, our researchers noticed that endpoints collecting these credentials exposed this data to almost anyone on the (Read More…)

Comments are closed.