An unidentified group of threat actors orchestrated a sophisticated supply chain cyberattack against members of the Top.gg GitHub organization and individual developers in order to inject malicious code into the code ecosystem.
Attackers have infiltrated trusted elements of software development to compromise developers. They took control of GitHub accounts with stolen cookies, contributed malicious code via verified commits, created a spoofed Python mirror, and dropped tainted packages into the PyPi registry.
“Multiple TTPs help attackers create sophisticated attacks, evade detection, increase the chances of successful exploitation, and complicate defense efforts,” says Jossef Harush Kadouri, head of software supply chain security at Checkmarx.
According to a blog post by Checkmarx researchers, the attackers used a convincing typosquatting technique with a fake Python mirror domain similar to the official one to deceive users.
By tampering with popular Python packages like Colorama, used by more than 150 million users to simplify the text formatting process, attackers have hidden malicious code inside seemingly legitimate software, expanding their reach beyond GitHub repositories.
They also exploited high-reputation Top.gg GitHub accounts to place malicious commits and increase the credibility of their actions. Top.gg is made up of 170,000 members.
Data theft
In the final stage of the attack, the malware used by the threat group steals sensitive information from the victim. It can target popular user platforms, including web browsers such as Opera, Chrome, and Edge, by targeting cookies, autofill data, and credentials. The malware also eradicates Discord accounts and abuses decrypted tokens to gain unauthorized access to victims’ accounts on the platform.
The malware can steal the victim’s cryptocurrency wallets, Telegram session data, and Instagram profile information. In the latter scenario, the attacker uses the victim’s session tokens to retrieve their account details, employing a keylogger to capture keystrokes, potentially compromising passwords and personal messages.
The data stolen from these individual attacks is then exfiltrated onto the attacker’s server using various techniques, including anonymous file sharing services and HTTP requests. Attackers use unique identifiers to track each victim.
To evade detection, the attackers used complex obfuscation techniques in their code, including whitespace manipulation and misleading variable names. They established persistence mechanisms, modified system registries, and performed data-stealing operations on various software applications.
Despite these sophisticated tactics, some vigilant members of the Top.gg community noticed the malicious activities and reported them, which led Cloudflare to remove the abused domains, according to Checkmarx. Even so, Checkmarx’s Kadouri still considers the threat “active.”
How to protect developers
IT security professionals should regularly monitor and audit contributions to new code projects and focus on training and raising awareness of developers about the risks of supply chain attacks.
“We believe in putting aside the competition and working together to make open source ecosystems safe from attackers,” says Kadouri. “Sharing resources is critical to gaining an advantage over actors threatening the software supply chain.”
According to Kadouri, attacks on the software supply chain will continue. “I believe the evolution of supply chain attacks will increase in build pipelines, artificial intelligence and large language models.”
Recently, machine learning model repositories like Hugging Face have provided opportunities for threat actors inject malicious code into development environmentssimilar to the npm and PyPI open source repositories.
More software supply chain security issues have surfaced recently, affecting cloud versions of JetBrains TeamCity software development platform manager as well malicious code updates slipped into hundreds of GitHub repositories in September.
Furthermore, weak authentication and access controls allowed Iranian hacktivists to conduct an operation supply chain attack earlier this month on Israeli universities via a technology provider.