Infosec Watchtower Logo

Breaking Down the Attack: How Unknown Threat Actors Compromised GitHub and PyPI With Sophisticated Malware Scheme

Charles M. Walls | March 25, 2024 | Views: 203

An image that visualizes a digital security breach in a highly sophisticated cyber attack. The scene shows a silhouette of a hacker with a hood.

A group of unknown attackers launched a highly sophisticated assault that targeted individual developers and the GitHub organization account of Top.gg, a popular platform for discovering Discord bots.

According to a detailed analysis by Checkmarx and shared with The Hacker News, the attackers utilized a variety of methods, such as hijacking accounts through stolen browser cookies, injecting malicious code into legitimate software, creating a deceptive Python package index, and distributing harmful packages on the PyPI registry.

This orchestrated attack on the software supply chain has resulted in the loss of sensitive data like passwords, credentials, and other critical information. This issue first came to light earlier in the month thanks to Mohammed Dief, a developer from Egypt, who unveiled parts of the operation.

A key tactic of the attackers involved the creation of a misleading domain that mimicked the official PyPI site, called "files.pypihosted[.]org." This site hosted tampered versions of popular Python packages, including colorama, a tool with over 150 million monthly downloads. The attackers modified colorama to include malicious code, cleverly hidden within the package, and made it available on their counterfeit domain. Cloudflare has since deactivated this domain.

These tampered packages were spread through various GitHub repositories, which included a requirements.txt file. This file lists the Python packages that need to be installed, thereby pulling in the compromised versions.

Despite actions taken to curb this threat, some repositories, such as one named github[.]com/whiteblackgang12/Discord-Token-Generator, remain active and continue to point to the malicious colorama version hosted on the fake domain.

Significantly, an account associated with Top.gg named "editor-syntax" made changes to a requirements.txt file on February 20, 2024, which introduced the malicious package into Top.gg's python-sdk. This action has since been rectified by the repository's maintainers.

Interestingly, the "editor-syntax" account, which is a legitimate part of the Top.gg GitHub organization with write access to its repositories, appears to have been compromised. The attackers managed to access this account by stealing session cookies, allowing them to bypass standard authentication procedures and make unauthorized changes.

The attackers were ambitious, altering up to 52 files in a single commit to hide their tracks, indicating a well-planned attempt to conceal their malicious modifications.

The fake colorama package is designed to trigger a chain reaction that ultimately executes code from an external server. This code can modify the Windows Registry to persist on the victim's computer and steal information from web browsers, cryptocurrency wallets, and various online platforms like Discord, Instagram, and Telegram.

The stolen information is then sent to the attackers through anonymous file-sharing services or directly to their own systems, along with data that identifies the victim's machine.

This incident underscores the advanced techniques used by cybercriminals to spread malware via trusted sources such as PyPI and GitHub. It serves as a stark reminder of the necessity for diligence in vetting third-party packages and repositories, even those from reputable sources. Ensuring the integrity of dependencies, monitoring network activities for anomalies, and adhering to strong security protocols are essential steps in protecting against such sophisticated cyber threats.

Source of Inspiration