ctx PyPI account stole environment variables

ctx was a small Python package with an old release history. Its last legitimate release was in 2014, and the maintainer email domain later expired. In May 2022, the attacker registered that domain, recreated the maintainer email address, and used PyPI password recovery to take over the official package account.

The new releases looked like ordinary PyPI updates but carried a short credential theft routine. When a Ctx object was created, the code walked process environment variables, base64-encoded the collected values, and sent them to anti-theft-web.herokuapp.com. AWS keys and CI/CD secrets were the obvious prize.

The compromise mattered because the package name was legitimate. Users did not install a typosquat. They installed ctx from PyPI and received code from the official registry page tied to that project name.

The event was reported alongside the hautelook/phpass repo-jacking incident. Both attacks used abandoned identity to regain control of established package coordinates. PyPI removed ctx, deleted the release files, blocked the name from re-registration without administrator review, and froze the compromised owner account.

Motive

Credential Theft

Attribution

Person

Cause

Expired Domain Takeover

Transitive

No

Actor

Sockpuppets

• Supply Chain Attack: CTX Account Takeover and PHPass Hijack Explainedorca.security
• Detecting Poisoned Python Packages: CTX and PHPasscrowdstrike.com
• PyPI Package 'ctx' and PHP Library 'phpass' Compromised to Steal Environment Variablessonatype.com
• PyPI package ctx and PHP library phpass compromisedthehackernews.com
• Attackers compromised PyPI package to steal AWS keyscybersecuritynews.com