Skip to main content
banner image
venafi logo

Popular Python Package Compromised: Don’t ‘Blindly Trust Open Source’

Popular Python Package Compromised: Don’t ‘Blindly Trust Open Source’

May 25, 2022 | Brooke Crothers

After a popular Python package was compromised, it raises questions about software supply chain attacks on the open source ecosystem.

Get Fast, Simple, SaaS-Based Private PKI With Venafi!
Python package compromise

The Python package ctx, which averages over 20,000 downloads per week, was compromised on the Python Package Index (PyPI), according to both forum and social media posts and a bevy of news reports

“When we browse the release history tab, we can see various versions of ctx uploaded within the past few days,” the SANS Institute said on May 24. “It was undoubtedly weird that the original package that was uploaded on December 19, 2014, would be replaced by something identical on May 21, 2022 and have subsequent version updates (and skipping a few releases too),” the post said.

An independent researcher, who also investigated the incident, said in a tweet that the malicious activity is likely meant to mine AWS credentials.

Python is a popular programming language with a large collection of packages on Python Package Index (, allowing developers to quickly build code. 

“Many of these packages can be installed and updated by the well-known ‘pip install’ command. However, many developers may take the updating and installation process for granted and may neglect to check what might have changed in the packages,” SANS said.

An update of the SANS post advisory added that a search for the malicious domain shows that another GitHub repository has the same malicious domain embedded within the PHP code.

“It is recommended that the code in this repository not be used,” SANS said.

Both of the impacted libraries have been removed. While it’s possible that the malicious ctx version may have impacted a significant number of users, PHPass appears to have had much less of an impact, with only a limited number of installations in recent weeks.

The Register, and other publications, have framed this this as an evolving supply chain attack strategy.

The ctx package, now removed from PyPI, is a Python library for accessing Python dictionaries using dot notation. It remained unchanged over the past eight years (as it remains on GitHub) until May 14, 2022. That's when the expired email domain ( administering the PyPI account was re-registered and taken over by an unknown attacker, a supply-chain attack strategy we've recently written about in the context of JavaScript registry NPM.

--The Register, May 24, 2022

Don’t blindly trust open source

This malicious activity is part and parcel of the weaponization of open source, says Steve Judd, Senior Solutions Architect at Jetstack, a Venafi company.

“This attack on PyPI’s ‘ctx’ has the potential to be extremely damaging to companies globally…With the open source solution being downloaded over 20,000 times a week, it’s easy to see how an attack like this might spread rapidly,” Judd said.

Judd continued. “Open source components are now present in 92% of apps – they make the world go round. However, attacks like this show that companies can’t blindly trust open source solutions, as they really have very little idea who has created or contributed towards them, which leaves companies wide open,” Judd said.

What can organizations do?

Developers aren’t going to stop using open source since as it enables them to move fast. But organizations need to take a proactive approach to enabling the safe use of these solutions, according to Judd.  

“This means deploying a zero trust model in cloud native environments, analysing every open source component and evaluating its level of risk before approving or rejecting it. Of course, doing this manually would be an incredibly slow and frustrating process, creating friction between security and developer teams, so automation is an absolute must. Without it, companies simply won’t be able to develop both at speed and securely,” Judd says.

See: Our Assessment Toolkit can help you find out about software supply chain security and Blueprint for building modern, secure software development pipelines.

Related Posts


Like this blog? We think you will love this.
Featured Blog

Lloyd's Backs Off Insurance for State-Sponsored Cyberattacks

Cyber related businesses are ‘e

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more