searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Help Net Security
Help Net Security
May 26, 2022
Share

Hijacking of popular ctx and phpass packages reveals open source security gaps

The Python module “ctx” and a fork of the PHP library “phpass” have recently been modified by an unknown attacker to grab AWS credentials/keys and send them to a Heroku app.

But what at first seemed like the work of a malicious actor turned out to be an exploit by a security researcher, who wanted to demonstrate how easy it is to take control of popular packages and the repositories hosting them.

In this Help Net Security video, Ax Sharma, Senior Security Researcher at Sonatype, talks about the tactics used by the researcher Yunus Aydin (aka “SockPuppets”) and what they revealed about the security gaps that can be misused to mount supply chain compromises affecting the open source community. He also offers advice for users of third-party open source packages.

More about
  • account hijacking
  • GitHub
  • open source
  • PHP
  • PyPI
  • Python
  • research
  • Sonatype
  • supply chain compromise
Share this

Featured news

  • Overcoming obstacles to introduce zero-trust security in established systems
  • Leveraging network automation to enhance network security
  • Ransomware gangs are exploiting IBM Aspera Faspex RCE flaw (CVE-2022-47986)
Guide: Aligning your security program with the NIST CSF

Sponsored

Webinar: Tips from MSSPs to MSSPs – starting a vCISO practice

Security in the cloud with more automation

CISOs struggle with stress and limited resources

How to scale cybersecurity for your business

Don't miss

Overcoming obstacles to introduce zero-trust security in established systems

Leveraging network automation to enhance network security

Ransomware gangs are exploiting IBM Aspera Faspex RCE flaw (CVE-2022-47986)

3CX customers targeted via trojanized desktop app

The rise of biometrics and decentralized identity is a game-changer for identity verification

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us