Name of the Vulnerable Software and Affected Versions ctx (affected versions not specified)

Description The ctx project on PyPI was compromised, and a malicious version was uploaded, which collects environment variables, including sensitive data like passwords and API keys, such as AWS ACCESS KEY ID and AWS SECRET ACCESS KEY, when instantiating Ctx objects. The captured data is sent to a Heroku application at "https://anti-theft-web.herokuapp.com". If the package was installed between May 14, 2022, and May 24, 2022, and environment variables contain sensitive information, it is advised to rotate passwords and keys and perform an audit to determine if they were exploited.

Recommendations Rotate passwords and keys, then perform an audit to determine if they were exploited. As a temporary workaround, consider avoiding the use of sensitive environment variables, such as AWS ACCESS KEY ID and AWS SECRET ACCESS KEY, until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.