Skip to content Skip to footer

Sophisticated Attack Campaign Impacts GitHub Developers and Top.gg – Checkmarx Report

A recent attack campaign has left several individual and the GitHub organization account associated with Top.gg, a Discord bot discovery site, reeling from the impact. The attack was orchestrated by unidentified adversaries who employed multiple tactics to infiltrate the system.

According to a technical report by Checkmarx, the attackers used various techniques, including account takeover via stolen browser cookies, contributing malicious code with verified commits, setting up a custom mirror, and publishing malicious packages to the registry. The software supply chain attack resulted in the theft of sensitive information, including passwords, credentials, and other valuable data.

The campaign's chief strategy involved setting up a clever typosquat of the official domain known as “files.pythonhosted[.]org,” which they named “files.pypihosted[.]org” and used to host trojanized versions of well-known packages like colorama. They then concealed the harmful payload within Colorama using space padding. They hosted this modified version on their typosquatted-domain fake-mirror.

These rogue packages were propagated via various GitHub repositories such as github[.]com/maleduque/Valorant-Checker and github[.]com/Fronse/League-of-Legends-Checker that contained a requirements.txt file, which serves as the list of packages to be installed by the pip package manager. One repository that continues to remain active is github[.]com/whiteblackgang12/Discord-Token-Generator, which includes a reference to the malicious version of colorama hosted on “files.pypihosted[.]org.”

The attackers also altered the requirements.txt file associated with Top.gg's -sdk by an account named editor-syntax on February 20, 2024. The account was a legitimate maintainer of the Top.gg GitHub organization and had written permissions to Top.gg's repositories, indicating that the threat actor had hijacked the verified account to commit a malicious commit.

Checkmarx noted that the “editor-syntax” account was likely hijacked through stolen cookies. This allowed the attacker to bypass authentication and perform malicious activities using the GitHub UI. This method of account takeover is particularly concerning, as it does not require the attacker to know the account's password.

The threat actors behind the campaign are said to have pushed multiple changes to the rogue repositories in a single commit, altering as many as 52 files in one instance to conceal the changes to the requirements.txt file.

The malware embedded in the counterfeit colorama package activates a multi-stage infection sequence that leads to the execution of code from a remote server capable of establishing persistence on the host via Registry changes and stealing data from browsers, crypto wallets, Discord tokens, and more.

This attack campaign underscores the importance of maintaining secure development practices and implementing measures to detect and prevent supply chain attacks. It also highlights the need for to remain vigilant and cautious when using third-party packages and repositories.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

You're in trouble, program. Why don't you make it easy on yourself. Who's your user?Master Control Program

Deitasoft © 2024. All Rights Reserved.