Python Developers Targeted in Massive Supply Chain Attack; Over 170,000 Users Affected

In a recently uncovered attack campaign, over 170,000 Python developers have fallen victim to a sophisticated malware scheme designed to steal sensitive data. The Checkmarx Security Research Team exposed this intricate attack, which targeted the software supply chain and included the successful compromise of the Top.gg GitHub organization, a popular community for Discord bot makers.

The Attack Unfolds

Image: Checkmarx Security Research Team

The attackers used a multi-pronged approach, combining account hijacking, malicious code injection, and a custom Python mirror to distribute their malware. Here’s the breakdown:

• Stolen Cookies, Compromised Accounts: Attackers managed to steal browser cookies, granting them unauthorized access to GitHub accounts. This allowed them to make malicious changes using reputable developer identities, increasing the trustworthiness of their attack vectors.
• Poisoned Packages, Fake Mirrors: Popular projects and legitimate Python packages were targeted. Attackers created a fake Python package mirror, typosquatting the official domain, and distributed a malware-infected version of the popular “colorama” package.
• Social Engineering and GitHub Takeovers: Trusted GitHub accounts were used to contribute malicious code and star malicious repositories, boosting their visibility and perceived legitimacy.

“I Got Hacked”: A Victim’s Story

Security researcher Mohamed Dief shared his own terrifying experience with this attack in a blog post. After cloning a seemingly harmless GitHub repository, Dief began seeing error messages and immediately knew he’d been targeted. His story emphasizes the stealth and speed with which these attacks can compromise systems.

The Malware’s Malice

The intricate malware was designed to evade detection. Hidden within poisoned packages, it works in multiple stages, harvesting a shocking array of sensitive data, including:

• Browser passwords, cookies, history, autofill data, and credit card details
• Discord tokens
• Cryptocurrency wallet data
• Telegram session details
• Files with specific keywords
• Instagram account information

The malware even includes a keylogger to record all of a victim’s keystrokes. Harvested data was then exfiltrated to the attacker’s servers.

The cyberattack showcased a sophisticated use of social engineering, technical deception, and exploitation of trusted platforms. The malware’s multi-stage execution process and the employment of obfuscation techniques like space-padding and the use of non-Latin scripts, showcased the lengths to which attackers will go to hide their tracks.

Protecting Yourself in the Open-Source World

This attack underscores the dangers lurking in the software supply chain. Here’s how Python developers can take action:

• Hypervigilance is Key: Treat every package and repository with a degree of suspicion, even those from seemingly trusted sources.
• Security Best Practices: Enforce strong passwords, use multi-factor authentication (MFA), and monitor for suspicious network activity.
• Know Your Dependencies: Understand the packages your projects rely on, and research new dependencies carefully. Look for signs of tampering and typosquatting.
• Community is Power: Report potential threats, share information, and collaborate to improve security within the Python ecosystem.

The Checkmarx Security Research Team has worked to neutralize the attack infrastructure and report malicious domains.