Complex Supply Chain Attack Targets GitHub Developers

Unidentified threat actors used multiple tactics to launch a sophisticated software supply-chain campaign targeting developers on the GitHub platform, including members of the popular Top.gg community that includes more than 170,000 members.

The attackers used a range of tactics and techniques, from leveraging stolen browser cookies to take over accounts to contributing malicious code with verified commits, setting up a custom Python mirror, and publishing malicious packages to the Python Package Index (PyPI) registry. Through these tactics, the bad actors were able to launch a silent software supply chain attack that includes stealing sensitive information from victims, according to threat intelligence researchers with cybersecurity firm Checkmarx.

“An attacker distributed a malicious dependency hosted on a fake Python infrastructure, linking it to popular projects on GitHub and to legitimate Python packages,” Tal Folkman, Yehuda Gelb, Jossef Harush Kadouri, and Tzachi Zornshtain wrote in a report. “GitHub accounts were taken over, malicious Python packages were published, and social engineering schemes were used by the threat actors.”

They used the multi-stage attack to deploy a malicious payload that stole passwords, credentials, and other data from infected systems and exfiltrated it to their own infrastructure.

They also deployed a fake Python packages mirror that they used to deploy a poisoned copy of Colorama, a packaged used by developers to add color and style to text in terminal outputs. Security researchers with Imperva last month outlined an attempt to make the Fade Stealer info-stealing malware look like the Colorama package.

Targeting GitHub Developers

The Checkmarx researchers said the attackers targeting GitHub developers, as part of their attack infrastructure, used typosquatting to create a website that seemed to be a Python package mirror register under the domain “files[.]pypihosted[.]org,” which closely mirrored the official Python mirror, “files.pythonhosted.org,” which is where officials artifact files of PyPI packages are normally stored.

Colorama has more than 150 million downloads every month, according to Checkmarx. The bad actors copied it and interested malicious code. They then “concealed the harmful payload within Colorama using space-padding and hosted this modified version on their typosquatted-domain fake-mirror,” the researchers wrote.

This technique gave the Colorama with the malicious code the appearance of being a legitimate dependency because it was difficult to identify the package as harmful. They also used a strategy where they simultaneously committed multiple files, including the requirements file containing the malicious link, with legitimate files, essentially hiding the malicious link among legitimate dependencies and making detection less likely.

“In addition to spreading the malware through malicious GitHub repositories, the attacker also utilized a malicious Python package called ‘yocolor’ to further distribute the ‘colorama’ package containing the malware,” the researchers wrote. “They employed the same typosquatting technique, hosting the malicious package on the domain ‘files[.]pypihosted[.]org’ and using an identical name to the legitimate ‘colorama’ package.”

Some details of the attack were outlined earlier in the month by Mohammed Dief, a developer who fell victim to the scheme. In a column on Medium, Dief wrote that after a couple of error messages, he detected a problem with Colorama and determined that he had been hacked. After figuring out the problem, he listed the other repos where he had found that contained the malware. He also stressed the need to check the repo before downloading it.

Top.gg Community at Risk

To extend their reach beyond creating malicious repositories through their own accounts, the attackers hijacked GitHub accounts with good reputations, using the resources in those accounts to contribute malicious commits, according to the Checkmarx researchers. One of the victims is the GitHub account editor-syntax, a top maintainer of Top.gg and which has write permissions to the community’s repositories. By gaining control of the account, they were able to insert malicious commits and start multiple malicious GitHub repositories, further increasing their visibility and credibility.

The malware is able to steal a broad array of information, including data from browsers such as Edge, Chrome, Opera, and Yandex. The data includes autofill information, cookies, credit cards, login credentials, and browsing history. It gets into Discord, looking for tokens that it can decrypt to gain access into the victim’s account and steals cryptocurrency wallets, it grabs Telegram session data, and exfiltrates computer files, targeting directories such as “Desktop,” “Downloads,” “Documents,” and “Recent Files.”

It looks to steal sensitive information from Instagram files using a session token and can log victims’ keystrokes, saving them to a file that is uploaded to the bad actors’ server, allowing the attackers to monitor and record the typed input and exposing such details as passwords, personal messages, and financial details.

“This campaign is a prime example of the sophisticated tactics employed by malicious actors to distribute malware through trusted platforms like PyPI [Python Package Index] and GitHub,” the Checkmarx researchers wrote. “This incident highlights the importance of vigilance when installing packages and repositories even from trusted sources. It is crucial to thoroughly vet dependencies, monitor for suspicious network activity, and maintain robust security practices to mitigate the risk of falling victim to such attacks.”