Open Source 2022-05-19 · 5 days ·Credential Theft, Data Exfiltration

hautelook/phpass hijacked through GitHub organization

Attackers re-registered the deleted hautelook GitHub organization and recreated its phpass repository. Packagist then served code from the hostile replacement path.

Story

hautelook/phpass failed through namespace reuse. The original GitHub organization was deleted after the project moved, but the Packagist package still pointed at the old repository path. An attacker registered the abandoned organization name and recreated the phpass repository.

Composer and Packagist trusted the coordinate. Installers resolving hautelook/phpass could fetch from the attacker's repository because the URL still matched the package metadata. No source forge was needed; the abandoned namespace became the source.

The malicious replacement carried code to collect environment data and secrets. Concrete CMS traced exposure through dependency resolution and published a replacement package while Packagist and GitHub removed the hostile repository.

This differs from a typosquat. The package name was established, and the attacker took over the exact upstream location that package metadata still referenced. The failure was stale ownership on an official dependency path.

Affected Artifacts

phpass (Hautelook fork on GitHub / Packagist)

packagist · Source Archive

Observed: 2022-05-19 to 2022-05-24
Compromised Versions: Unknown
Fixed: Not listed
Hashes: sha256:bc9cf9f18f5c41cc27d53d46b579f95f3ea45a70f94a8da3060b864d3e2d18c4
Evidence: distribution: packagist.org/packages/hautelook/phpass, distribution: github.com/hautelook/phpass, mirror: concretecms.org/about/project-news/security/supply-chain-hack-phpass-repo-jacking, mirror: github.com/concrete5/hautelook_phpass_rsa , +6 more

Affected Packagist scope covered hautelook/phpass versions pulled between 2022-05-19 and 2022-05-24.
Packagist reported the affected package had not seen many installs recently and was rewired to the maintained bordoni/phpass repository.
Public claims of millions of combined users are not treated as confirmed impacted users for this specific Packagist package.

Incident Context

Motive: Credential Theft
Attribution: Person
Cause: Abandoned Namespace Takeover
Transitive: No
Actor: Sockpuppets

External References

Supply chain hack phpass repo jackingconcretecms.org
Supply Chain Attack: CTX Account Takeover and PHPass Hijack Explainedorca.security
Detecting Poisoned Python Packages: CTX and PHPasscrowdstrike.com
PyPI Package 'ctx' and PHP Library 'phpass' Compromised to Steal Environment Variablessonatype.com
PyPI package ctx and PHP library phpass compromisedthehackernews.com
Attackers compromised PyPI package to steal AWS keyscybersecuritynews.com

Source record: oss/attacks/phpass/meta.yaml