phpass (Hautelook fork on GitHub / Packagist)
hautelook/phpass library hijacked via GitHub org.
The GitHub organization 'hautelook', which maintained a popular fork of the phpass PHP password hashing library, was deleted. An attacker later registered the 'hautelook' organization name and created a repository named 'phpass' with the same URL as the original. This new repository contained a malicious version of phpass designed to steal AWS credentials by exfiltrating environment variables. Packagist, which mirrored the original GitHub repository, then began serving this malicious version to users who updated the dependency.
- Date
- 2022-05-19 to 2022-05-24
- Category
- Open Source
- Target Surface
- Distribution
- Insertion Phase
- source
- Impact
- Data Exfiltration
- Cause
- Compromised Account/Credentials
What Was Affected
LanguagePHP
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
packagist.org
Compromised Versions
Incident Context
- Motive
- Credential Theft
- Attribution
- Individual Hacker
- Transitive
- No
- User Impact
- 2500000
- Observed Duration
- 5 days
Evidence
Compromised Artifacts
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha256:bc9cf9f18f5c41cc27d53d46b579f95f3ea45a70f94a8da3060b864d3e2d18c4
External References
Source Data
Source record: oss/phpass/meta.yaml