Software in Python Package Index (PyPI) and Hypertext Preprocessor (PHP) repositories have been targeted in supply-chain attacks, which researchers say are aimed at stealing users' Amazon Web Services credentials.
Reported by white hat hacker Somdev Sangwan, the PyPI ctx and a fork of PHP phpass contained malicious code until taken down.
While popular, both the phpass library and ctx dictionary module appear not to have not been updated since they were uploaded to repositories in 2012 and 2014 respectively.
An analysis by incident handler Yee Ching Tok at the SANS Internet Storm Centre showed that the compromised packages attempted to steal users' environment variables and send them to a Heroku instance that has now been taken down.
"In the 'new' ctx 0.1.2.py code, there was code added to attempt to retrieve the AWS access key ID, computer name and the AWS secret access key when a dictionary is created.
"What an extra feature!" Tok wrote.
Sangwan said that while the total number of downloads for the two packages is 3 million, the hack saw malware injected around a week ago, which means only users who fetched the libraries in that period of time are affected.
With 22,000 downloads a week, the number of compromised ctx installations is still substantial.
The compromises appear to be the result of the ctx maintainer's domain name expiring, and an attacker gaining access to the person's account.
Tok noted that the same malicious Heroku instance used in the hacked ctx package was found in a fork of of phpass on Github.