Student hacker behind ctx and phpass repo-jacking steps forward

In a surprise move, a person has claimed responsibility for the recent supply-chain hacks on the popular open source Python ctx and Hypertext Preprocessor phpass libraries, claiming it was research and not malicious activity.

Student and intern Yunus Aydin from Istanbul said he created a scraper bot to check if Github profiles exist, and to capture the account owners' email addresses.

After parsing the responses from the bot with a query tool, Aydin said he could take over the package if the Github profile of the maintainer does not exist, or if their domain name is no longer valid.

For the ctx hack, Aydin used a bot to check if the domain name registration of package maintainers is valid.

When he found a domain with lapsed registration, he would manualy check its availability on Google Domains.

If available, Aydin could register the domain for five US dollars, and receive password reset emails from the Python Package Index repository.

Attacking phpass involved bypassing Github's authentication for retired repositories, which Aydin succeeded to do.

Aydin used similar techniques to attack the Rust programming language package registry, and the npm equivalent too, saying it was possible to take ownership of packages on those repositories as well.

The payload in the malicious packages captured users' environment variables, including sensitive data such as Amazon Web Services credentials.

Over ten million users and companies were at risk from the attacks, and Aydin received some 1000 environment variables to his Heroku instance.

The data he received has been deleted and not used, Aydin claims.

Aydin said he reported the Github authentication bypass to HackerOne on May 20 AEST.

However, HackerOne closed the report as a duplicate and the vulnerability has not been fixed, Aydin said.

After the attack, both the ctx and phpass packages were removed along with is Github user account and Heroku server instance.

Aydin's personal website was also deleted.

Other users objected to Aydin's research, saying it was done without consent and would force engineers in thousands of companies around the world to change credentials, as they could not trust that the captured ones would not be abused.