Sonatype discovered python packages stealing AWS credentials and keys.

According to Sonatype "These packages were discovered by Sonatype's automated malware detection system, offered as a part of Nexus platform products, including Nexus Firewall. On a further review, we deemed these packages malicious and reported them to PyPI."

Following packages were analyzed and identified by Sonatype security researchers Jorge Cardona and Carlos Fernández,

• loglib-modules — appears to target developers familiar with the legitimate 'loglib' library.
• pyg-modules — appears to target developers familiar with the legitimate 'pyg' library.
• pygrata — unknown target
• pygrata-utils — unknown target; contains identical malicious code to that seen in 'loglib-modules'
• hkg-sol-utils — unknown target

Scripts are uploading collected credentials to multiple endpoints on the pygrata domain. Stolen credentials are exposed to anyone on the web. Sonatype questioned that this could be a legitimate security testing? but there is not much information to rule out this suspecious activity.