Highlights:

  • The attackers’ actions encompassed distributing a dependency hosted on a counterfeit Python infrastructure, linking it to renowned projects on GitHub and authentic Python packages.
  • The GitHub account “editor-syntax” was among the victims and a Top maintainer.gg GitHub group has write permissions to Top.gg’s git repositories.

Application security testing firm Checkmarx Ltd. unveiled findings on a newly uncovered software supply chain attack. This attack targeted Top.gg, a widely used platform for discovering Discord servers and bots, and individual developers on GitHub.

The threat actors utilized various tactics, techniques, and procedures to gain access. These included account takeover through stolen browser cookies, injecting malicious code with verified commits, establishing a custom Python mirror, and distributing malicious packages via the PyPi registry. Therefore, the outcome was a covert software supply chain attack, surreptitiously siphoning sensitive information from the victims.

The attackers’ actions encompassed distributing a dependency hosted on a counterfeit Python infrastructure, linking it to renowned projects on GitHub and authentic Python packages. This facilitated the takeover of GitHub accounts and the publication of malicious Python packages.

The attackers employed a typosquat of the official PyPi domain, naming it “files.pypihosted.org” instead of “files.pythonhosted.org.” By leveraging the fake domain name, the attackers deceived users into downloading malicious iterations of popular packages like Colorama.

The researchers at Checkmarx clarified, “The threat actors took Colorama (a highly popular tool with 150 million monthly downloads), copied it, and inserted malicious code. They then concealed the harmful payload within Colorama using space padding and hosted this modified version on their typosquatted-domain fake mirror.”

They emphasized that the tactic makes it “considerably more challenging to identify the package’s harmful nature with the naked eye, as it initially appears to be a legitimate dependency.”

Additionally, the attackers expanded their scope beyond creating malicious repositories by hijacking GitHub accounts with high reputations. They then utilized the resources associated with those accounts to contribute malicious commits. The GitHub account “editor-syntax,” which is also a maintainer of the Top.gg GitHub group and has write access to Top.gg’s git repositories, was among the casualties.

Having gained control over the account, the attackers made a malicious commit to the top-gg/python-sdk repository, utilizing the stolen identity of “editor-syntax.” They appended instructions to the requirements.txt file, directing users to download the tainted version of Colorama from their fraudulent Python mirror. Furthermore, they utilized the stolen account to initiate numerous malicious GitHub repositories, amplifying their visibility and credibility.

The researchers conclude that this incident underscores the importance of remaining vigilant when installing packages and repositories, even from ostensibly trusted sources.

Applications programming interface security startup Cequence Security Inc.’s resident hacker, Jason Kent, told a famous media house that “these new supply chain attacks are becoming increasingly creative and showing that attackers have all the time in the world to attack code, infrastructure, users and whatever they like.”

Kent also said, “This attack was sophisticated in nature and is looking to create havoc on systems that users are accessing daily. Imagine if all of your passwords, API Keys, and session tokens were hijacked at the same time, and the attackers drained your bank account, deleted your work, and left a system that isn’t functioning. Be prepared, log out of your systems when you are done, don’t store API Keys, and make sure your authentication artifacts are as ephemeral as possible.”