There has been a sophisticated attack campaign orchestrated by unidentified adversaries impacting several individual developers and the GitHub organization account linked with Top.gg, a Discord bot discovery site.
Checkmarx, in a technical report shared with The Hacker News, stated, “The attackers used multiple tactics in this attack, including account takeover through stolen browser cookies, inserting malicious code with verified commits, creating a custom Python mirror, and uploading malicious packages to the PyPI registry.”
This supply chain attack resulted in the theft of sensitive data like passwords, credentials, and other valuable information. Some aspects of the attack were disclosed by an Egypt-based developer named Mohammed Dief at the beginning of the month.
The attackers set up a typosquatted domain “files.pypihosted[.]org” as a mirror to the official PyPI domain “files.pythonhosted[.]org” to host trojanized versions of popular packages like colorama. The domain has since been taken down by Cloudflare.
The attackers modified Colorama, a widely used tool with over 150 million monthly downloads, by inserting malicious code. They hid the malicious payload within Colorama using space padding and hosted this altered version on their typosquatted domain fake-mirror.
These rogue packages were distributed via GitHub repositories like github[.]com/maleduque/Valorant-Checker and github[.]com/Fronse/League-of-Legends-Checker, which included a requirements.txt file listing Python packages to be installed by the pip package manager.
One active repository is github[.]com/whiteblackgang12/Discord-Token-Generator, which references the malicious version of colorama hosted on “files.pypihosted[.]org.”
The requirements.txt file associated with Top.gg’s python-sdk was also altered by an account named editor-syntax on February 20, 2024. The issue has been resolved by the repository maintainers.
The verified account editor-syntax, a legitimate maintainer of the Top.gg GitHub organization, was used by the threat actor to commit a malicious code after hijacking the account through stolen cookies.
The threat actors pushed multiple changes to the rogue repositories in one commit to conceal the alterations to the requirements.txt file.
The malware in the fake colorama package triggers a multi-stage infection process that executes Python code from a remote server, establishes persistence on the host by modifying Windows Registry, and steals data from web browsers, crypto wallets, Discord tokens, and sessions tokens linked to Instagram and Telegram.
The stolen data is sent to the attackers through file-sharing services like GoFile and Anonfiles or directly to the threat actor’s infrastructure using HTTP requests, along with the hardware identifier or IP address for tracking purposes.
This incident showcases the intricate tactics used by malicious actors to distribute malware through trusted platforms like PyPI and GitHub. It emphasizes the need for caution when installing packages and repositories even from trusted sources and to maintain strong security practices to mitigate the risk of such attacks.
