After a popular Python package was compromised, it raises questions about software supply chain attacks on the open source ecosystem.
Python package compromise
The Python package ctx, which averages over 20,000 downloads per week, was compromised on the Python Package Index (PyPI), according to both forum and social media posts and a bevy of news reports.
“When we browse the release history tab, we can see various versions of ctx uploaded within the past few days,” the SANS Institute said on May 24. “It was undoubtedly weird that the original package that was uploaded on December 19, 2014, would be replaced by something identical on May 21, 2022 and have subsequent version updates (and skipping a few releases too),” the post said.
An independent researcher, who also investigated the incident, said in a tweet that the malicious activity is likely meant to mine AWS credentials.
Python is a popular programming language with a large collection of packages on Python Package Index (pypi.org), allowing developers to quickly build code.
“Many of these packages can be installed and updated by the well-known ‘pip install’ command. However, many developers may take the updating and installation process for granted and may neglect to check what might have changed in the packages,” SANS said.
An update of the SANS post advisory added that a search for the malicious domain shows that another GitHub repository has the same malicious domain embedded within the PHP code.
“It is recommended that the code in this repository not be used,” SANS said.
Both of the impacted libraries have been removed. While it’s possible that the malicious ctx version may have impacted a significant number of users, PHPass appears to have had much less of an impact, with only a limited number of installations in recent weeks.
Zero Trust with cert-manager, Istio and Kubernetes
The Register, and other publications, have framed this this as an evolving supply chain attack strategy.
The ctx package, now removed from PyPI, is a Python library for accessing Python dictionaries using dot notation. It remained unchanged over the past eight years (as it remains on GitHub) until May 14, 2022. That's when the expired email domain (figlief.com) administering the PyPI account was re-registered and taken over by an unknown attacker, a supply-chain attack strategy we've recently written about in the context of JavaScript registry NPM.
Don’t blindly trust open source
This malicious activity is part and parcel of the weaponization of open source, says Steve Judd, Senior Solutions Architect at Jetstack, now Venafi.
“This attack on PyPI’s ‘ctx’ has the potential to be extremely damaging to companies globally…With the open source solution being downloaded over 20,000 times a week, it’s easy to see how an attack like this might spread rapidly,” Judd said.
Judd continued. “Open source components are now present in 92% of apps – they make the world go round. However, attacks like this show that companies can’t blindly trust open source solutions, as they really have very little idea who has created or contributed towards them, which leaves companies wide open,” Judd said.
What can organizations do?
Developers aren’t going to stop using open source since as it enables them to move fast. But organizations need to take a proactive approach to enabling the safe use of these solutions, according to Judd.
“This means deploying a zero trust model in cloud native environments, analyzing every open source component and evaluating its level of risk before approving or rejecting it. Of course, doing this manually would be an incredibly slow and frustrating process, creating friction between security and developer teams, so automation is an absolute must. Without it, companies simply won’t be able to develop both at speed and securely,” Judd says.
See: Our Assessment Toolkit can help you find out about software supply chain security and Blueprint for building modern, secure software development pipelines.
Get Fast, Easy, and Secure Enterprise-Grade Code Signing With Venafi!
Related posts
- Open Source Makes Machine Identities on Kubernetes Accessible for All
- Google CAS Supports cert-manager and TLS Protect for Kubernetes for Cloud Native and Private PKI
- Pulumi Policy-as-Code for cert-manager Simplifies Machine Identity Management
- Open-Source Community: CNCF Sandbox Accepts Cert-Manager