The Checkmarx Research team has uncovered a sophisticated attack campaign that affected several individual developers as well as the GitHub account associated with Top.gg, a prominent Discord bot discovery site.
The campaign employed multiple Tactics, Techniques, and Procedures (TTPs), including account takeovers facilitated by stolen browser cookies, the injection of malicious code via verified commits, the establishment of a custom Python mirror, and the dissemination of tainted packages through the PyPi registry.
As part of the attack, the threat actor distributed a malicious dependency hosted on a fake Python infrastructure, linking it to popular projects on GitHub and to legitimate Python packages. Using this dependency, the attackers were able to hijack GitHub accounts and publish malicious Python packages. This allowed the perpetrators to harvest a trove of sensitive information including passwords, credentials, and other valuable data from compromised systems, subsequently funneling it to their own infrastructure.
The threat actors deployed a fake Python packages mirror, which was successfully used to deploy a poisoned copy of the popular package “colorama”. The malicious version was hosted on a typosquatted domain, making detection significantly challenging for the untrained eye.
The perpetrators managed to infiltrate trusted GitHub accounts, including the GitHub account of “editor-syntax”, a maintainer of the Top.gg GitHub organization.
The attacker, leveraging stolen session cookies, bypassed authentication measures to execute a malicious commit to the top-gg/python-sdk repository, adding to the requirements.txt instructions to download the poisoned version of colorama from their fake Python mirror.
In addition to spreading the malware through malicious GitHub repositories, the attacker also used a malicious Python package called “yocolor” to further distribute the “colorama” package containing the malware.
“By manipulating the package installation process and exploiting the trust users place in the Python package ecosystem, the attacker ensured that the malicious "colorama" package would be installed whenever the malicious dependency was specified in the project's requirements. This tactic allowed the attacker to bypass suspicions and infiltrate the systems of unsuspecting developers who relied on the integrity of the Python packaging system,” the researchers explained.