StatCan
BUG: Possible Python Package CTX Compromised
Please read the following context of that email that I have received. As we do not use AWS, can we be affected?
Hello,
There was a recent supply chain attack in which the Python package ctx on PyPI has been compromised, in particular to steal AWS keys. I don’t know if anyone at StatCan uses ctx (either directly or as a dependency), the attack wouldn’t work on Network A, and I don’t think StatCan uses AWS much (if at all). Though if users on Net B or AAW had AWS keys saved (for instance to download data from an AWS S3 repository) or if running ctx on their home computer, they should revoke the old AWS keys ASAP. This kind of attack is the sort of thing Artifactory JFrog X-Ray tries to prevent / reduce. Some links:
• https://www.theregister.com/2022/05/24/pypi_ctx_package_compromised/ • https://www.bleepingcomputer.com/news/security/popular-python-and-php-libraries-hijacked-to-steal-aws-keys/ • https://isc.sans.edu/forums/diary/ctx+Python+Library+Updated+with+Extra+Features/28678/
Stan Hatko, M.Sc.
