Unidentified adversaries orchestrated a sophisticated attack campaign that affected several individual developers, as well as the GitHub organization account associated with Top.gg, a Discord bot detection site.
“Threat actors used multiple TTPs in this attack, including taking over accounts via stolen browser cookies, contributing malicious code with verified commits, setting up a custom Python mirror, and publishing malicious packages to the PyPI registry,” Checkmarx said in a technical report shared with The Hacker News.
The attack on the software supply chain is said to have led to the theft of sensitive information, including passwords, credentials and other valuable data. Some aspects of the campaign were previously disclosed earlier this month by an Egypt-based developer named Mohammed Dief.
It was mainly about creating a clever typosquat of the official PyPI domain known as “files.pythonhosted[.]org”, giving it the name “files.pypihosted[.]org” and use it to host trojanized versions of packages known as colorama. Cloudflare has since removed the domain.
“The threat actors took Colorama (a very popular tool with over 150 million monthly downloads), copied it, and inserted malicious code,” Checkmarx researchers said. “They then hid the malicious payload inside Colorama using space padding and hosted this modified version on their fake mirror of the typo-ridden domain.”
These rogue packages were then propagated via GitHub repositories such as github[.]com/maleduque/Valorant-Checker and github[.]com/Fronse/League-of-Legends-Checker which contained a require.txt file, which serves as a list of Python packages that need to be installed by the pip package manager.
One repository that continues to remain active at the time of writing is github[.]com/whiteblackgang12/Discord-Token-Generator, which includes a reference to the malicious version of colorama hosted at “files.pypihosted[.]org.”
The require.txt file associated with Top.gg’s python-sdk was also modified as part of the campaign by an account named editor-syntax on February 20, 2024. The issue has been resolved by the repository maintainers.
It is worth noting that the “editor-syntax” account is a legitimate maintainer of the Top.gg GitHub organization and has written permissions on the Top.gg repositories, indicating that the threat actor managed to hijack the verified account to commit a malicious commit.
“The GitHub account of ‘editor-syntax’ was likely hacked via stolen cookies,” Checkmarx noted.
“The attacker gained access to the account’s session cookies, allowing him to bypass authentication and perform malicious activities using the GitHub user interface. This method of account takeover is particularly concerning, as it does not require that attacker knows the account password.”
Furthermore, the threat actors behind the campaign are said to have made multiple unauthorized repository changes in a single commit, altering up to 52 files in one instance in an attempt to hide changes to the require.txt file.
The malware embedded in the counterfeit colorama package triggers a multi-step infection sequence that leads to the execution of Python code from a remote server, which, in turn, is able to establish persistence on the host via Windows registry modifications and steal data from the web. browsers, crypto wallets, Discord tokens, and session tokens related to Instagram and Telegram.
“The malware includes a file stealer component that searches for files with specific keywords in their names or extensions,” the researchers said. “Targets directories like Desktop, Downloads, Documents, and Recent Files.”
The captured data is ultimately transferred to the attackers via anonymous file sharing services such as GoFile and Anonfiles. Alternatively, data is also sent to the threat actor’s infrastructure using HTTP requests, along with the hardware identifier or IP address to track the victim’s computer.
“This campaign is a great example of the sophisticated tactics employed by malicious actors to distribute malware through trusted platforms such as PyPI and GitHub,” concluded the researcher.
“This incident highlights the importance of vigilance when installing packages and repositories, even from trusted sources. It is critical to carefully review dependencies, monitor suspicious network activity, and maintain robust security practices to mitigate the risk of falling victim to such attacks.”