AWS assets targeted by backdoored Python packages

The Hacker News reports that Amazon Web Services credentials and publicly-exposed environment variables are being targeted by several malicious Python packages including hkg-sol-utils, loglib-modules, pygrata, pygrata-utils, and pyg-modules. AWS credentials, environment variables, and network interface details harvested by the backdoored "loglib-modules" and "pygrata-utils" packages are then exported to "hxxp://graph.pygrata[.]com:8000/upload," a remote endpoint, said Sonatype security researcher Ax Sharma. However, the threat actor and motives behind the Python package modifications remain uncertain. "Were the stolen credentials being intentionally exposed on the web or a consequence of poor OPSEC practices? Should this be some kind of legitimate security testing, there surely isn't much information at this time to rule out the suspicious nature of this activity," Sharma noted. Similar intrusions on open source repositories have been admitted by security researcher Yunus Aydin and German penetration testing firm Code White. Code White noted that malicious packages uploaded to the NPM registry meant to simulate dependency confusion attacks.