Malicious takeover of ctx project on PyPI.
Incident Report for Python Infrastructure
Postmortem

Takeover of the ctx project was reported on multiple channels overnight and was mitigated as of 6:07 AM Eastern.

We confirmed via investigation that this compromise was of a single user account due to re-registration over an expired domain. The domain that hosted the users email address was re-registered 2022-05-14T18:40:05Z and a password reset completed successfully for the user at 2022-05-14T18:52:40Z. Original releases were then deleted and malicious copies uploaded.

PyPI itself was not directly compromised.

Read the full incident report at https://python-security.readthedocs.io/pypi-vuln/index-2022-05-24-ctx-domain-takeover.html.

Posted May 24, 2022 - 17:33 UTC

Resolved
This incident has been resolved.
Posted May 24, 2022 - 10:00 UTC