The Hacker News reports that Amazon Web Services credentials and publicly-exposed environment variables are being targeted by several malicious Python packages including hkg-sol-utils, loglib-modules, pygrata, pygrata-utils, and pyg-modules.
AWS credentials, environment variables, and network interface details harvested by the backdoored "loglib-modules" and "pygrata-utils" packages are then exported to "hxxp://graph.pygrata[.]com:8000/upload," a remote endpoint, said Sonatype security researcher Ax Sharma. However, the threat actor and motives behind the Python package modifications remain uncertain.
"Were the stolen credentials being intentionally exposed on the web or a consequence of poor OPSEC practices? Should this be some kind of legitimate security testing, there surely isn't much information at this time to rule out the suspicious nature of this activity," Sharma noted.
Similar intrusions on open source repositories have been admitted by security researcher Yunus Aydin and German penetration testing firm Code White.
Code White noted that malicious packages uploaded to the NPM registry meant to simulate dependency confusion attacks.
Ahead of its imminent approval, the Biden administration's proposed executive order mandating U.S. cloud infrastructure-as-a-service providers to strengthen the verification of their users' identities has received industry opposition due to the increased financial and logistical burdens that would arise from such a rule, according to The Record, a news site by cybersecurity firm Recorded Future.
U.S. independent record label Empire Distribution, which has worked with Kendrick Lamar, Snoop Dogg, and 50 Cent, had its sensitive data exposed as a result of an environment file misconfiguration, Cybernews reports.