An advanced campaign of cyberattacks, masterminded by anonymous enemies, has affected multiple developers and the GitHub organization account linked to Top.gg, a Discord bot discovery platform.

“The threat actors used multiple TTPs in this attack, including account takeover via stolen browser cookies, contributing malicious code with verified commits, setting up a custom Python mirror, and publishing malicious packages to the PyPI registry,” In a technical report sent to The Hacker News, Checkmarx stated.

It is claimed that sensitive data, including passwords, credentials, and other important information, was stolen as a result of the software supply chain attack. Mohammed Dief, an Egyptian developer, first revealed some details of the campaign at the beginning of the month.

It mainly involved creating a clever typosquat, renaming it “files.pypihosted[.]org,” from the official PyPI domain “files.pythonhosted[.]org,” and using it to host trojanized versions of popular programs like Colorama. Since then, Cloudflare has removed the domain.

“The threat actors took Colorama (a highly popular tool with 150+ million monthly downloads), copied it and inserted malicious code. They then concealed the harmful payload within Colorama using space padding and hosted this modified version on their typosquatted-domain fake mirror,” as stated by the Checkmarx researchers.

Subsequently, these rogue packages spread through GitHub repositories like “github[.]Com/maleduque/Valorant-Checker” and “github[.]Com/Fronse/League-of-Legends-Checker,” which included a requirements.txt file that lists the Python programs that the pip package manager should install.

“github[.]Com/whiteblackgang12/Discord-Token-Generator” is one repository that is still up to date as of this writing and contains a link to the malicious Colorama housed on “files.pypihosted[.]org.”

Apart from this, an account called editor-syntax made changes to the “requirements.txt” file linked to Top.gg's Python SDK on February 20, 2024. This was done as part of the campaign. The repository maintainers have taken care of the problem.

The fact that the “editor-syntax” account has write permissions to Top.gg's repositories and is a verified maintainer of the Top.gg GitHub organization is noteworthy. This suggests that the threat actor was able to take control of the verified account and contribute malicious code.

“The GitHub account of ‘editor-syntax’ was likely hijacked through stolen cookies. The attacker gained access to the account's session cookies, allowing them to bypass authentication and perform malicious activities using the GitHub UI. This method of account takeover is particularly concerning, as it does not require the attacker to know the account's password,” stated Checkmarx.

Furthermore, in an attempt to hide the changes to the requirements.txt file, the threat actors behind the campaign are alleged to have committed several changes to the rogue repositories in 52 files that you can change simultaneously with a single commit.

The attackers are said to have started the operation in November 2022 when they submitted four bogus packages to the PyPI repository. After that, 10 more packages arrived at PyPI, with “yocolor” being the most recent, released on March 5, 2024.

In addition, “Yocolor” is designed to spread the malware-infected “Colorama” package, highlighting the threat actor's use of the open-source package ecosystem's confidence to install the malicious library by adding it as a dependent in the requirements.txt file for the project.

The malware present in the fake Colorama package initiates a multi-phase infection process that results in the execution of Python code from a remote server. This code can then be used to establish persistence on the host by altering the Windows Registry and stealing information from web browsers, cryptocurrency wallets, Discord tokens, and Instagram and Telegram session tokens.

“The malware includes a file stealer component that searches for files with specific keywords in their names or extensions. It targets directories such as Desktop, Downloads, Documents, and Recent Files.” the researchers said.

Ultimately, the attackers receive the collected data through anonymous file-sharing platforms such as Anonfiles and GoFile. Alternatively, the hardware identification or IP address to trace the victim system is supplied along with the data via HTTP requests to the threat actor's infrastructure.

“This campaign is a prime example of the sophisticated tactics employed by malicious actors to distribute malware through trusted platforms like PyPI and GitHub. This incident highlights the importance of vigilance when installing packages and repositories even from trusted sources. It is crucial to thoroughly vet dependencies, monitor for suspicious network activity, and maintain robust security practices to mitigate the risk of falling victim to such attacks.” the researchers concluded.

Update

It is currently not possible to access the repository “github[.]com/whiteblackgang12/Discord-Token-Generator” on GitHub.