Hello, welcome to the Wednesday, May 25th, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

Well, last night on Reddit, some people did notice that there was a CTX Python package Python package on PIP, that hadn't been updated in a while,

but all for a sudden did receive an update.

CTX is an expansion to the Dict, the dictionary object, and, well, the addition that was added

was code that exfiltrated your EWS credentials, at least if you kept them in environment variables, which is very common.

The exfiltration was pretty simple.

It just appended the data to a URL, base 64 encoded it, and then sent it off to anti-theft web.heroku app.com.

So kind of ironically named.

And well, next thing, of course, is a quick Google search to figure out what else is connecting

to this particular URL. And

turns out there was also a PHP package that was updated five days ago. Now this PHP package

was a password hashing package, something that is, I don't think, really maintained anymore,

at least that particular package, but hasn't again been updated for a while.

And what the attacker did here is actually just claimed that they created sort of a fork of

a package in order to continue to maintain it.

In some ways, actually, they felt a little bit short here. If you think about it,

they did backdoor a password hashing package, but again, the only thing they actually

exfiltrated were these AWS environment variables and not the passwords that were going

to be hashed, at least in the version I looked at. The PIP package has since been removed.

Last time I checked the PHP package was still up there, but probably less of a problem, actually,

...