PyPI Library ctx
and PHP’s PHPass
compromised due to account takeover
The authors of these libraries had their associated GitHub account expired, or their custom email domain expired, which allowed 3rd-party to perform an account takeover.
Impact
This incident affected tens of thousands of installs of ctx
through-out
the 3 weeks time window between May 1st and May 21st, as well as impacting
roughly 2.5 million downloads of PHPass
, according to Packagist.org.
Type of Compromise
This incident fits the Dev Tooling definition.
References
- How I hacked CTX and PHPass Modules
- Twitter thread on the topic
- Reddit’s I think the CTX package on PyPI has been hacked!
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.