Popular Python Package Compromised: Don’t ‘Blindly Trust Open Source’

From venafi.com


The Python package ctx, which averages over 20,000 downloads per week, was compromised on the Python Package Index (PyPI), according to both forum and social media posts and a bevy of news reports.

“When we browse the release history tab, we can see various versions of ctx uploaded within the past few days,” the SANS Institute said on May 24. “It was undoubtedly weird that the original package that was uploaded on December 19, 2014, would be replaced by something identical on May 21, 2022 and have subsequent version updates (and skipping a few releases too),” the post said.

An independent researcher, who also investigated the incident, said in a tweet that the malicious activity is likely meant to mine AWS credentials.

Read more…