Executive Summary
The Checkmarx Research team has reported a sophisticated campaign which is targeting software supply chains and resulting in successful exploitation of multiple GitHub users. Key targets included the Top.gg GitHub organization, which claims to have over 170,000 users, and individual developers on the code publishing platform. The attackers employed various novel tactics, including account takeover via stolen browser cookies, contributing malicious code with verified commits, setting up a custom Python mirror, and publishing malicious packages to the PyPi registry for further propagation in future attacks.
Community Threat Assessment
Due to the available public reporting of the attack chain and its analysis, and released Indicators of Compromise (IOCs), the RH-ISAC Intelligence Team assesses with high confidence that this campaign presents a low threat for organizations in the retail and hospitality sector. RH-ISAC recommends Core Members review the intelligence included in this report and the linked Checkmarx report, which contains additional details regarding the campaign.
Members are also advised to review the IOCs, provided below, and ingest them into security systems promptly where applicable.
Technical Details
The attackers, who remain unnamed in the article, listed fraudulent open-source tools with enticing descriptions to lure victims, distributed malicious dependencies hosted on a fake Python infrastructure, and used social engineering schemes to propagate the fake GitHub repositories.
The attackers later managed to hijack GitHub accounts with high reputations, such as “editor-syntax,” and used them to contribute malicious commits and spread the malware. They also deployed a fake Python mirror, successfully distributing a poisoned version of the popular package “colorama.” The malicious payload, hidden within “colorama,” executed various stages of attack, including data theft from web browsers, Discord, cryptocurrency wallets, Telegram sessions, computer files, and Instagram profiles. The malware also included a keylogging component to capture keystrokes.
Victims later reported the unauthorized activities, such as encountering errors related to legitimate packages and seeing unusual commits in their repositories, to GitHub which eventually enabled the suspension of malicious and fraudulent accounts, and extracted relevant indicators of compromise (IOCs), listed below.
A list of comprised dependences is listed below for your security awareness:
Package Name | Version | Username | Date Released |
jzyrljroxlca | 0.3.2 | pypi/xotifol394 | 21-Jul-23 |
wkqubsxekbxn | 0.3.2 | pypi/xotifol394 | 21-Jul-23 |
eoerbisjxqyv | 0.3.2 | pypi/xotifol394 | 21-Jul-23 |
lyfamdorksgb | 0.3.2 | pypi/xotifol394 | 21-Jul-23 |
hnuhfyzumkmo | 0.3.2 | pypi/xotifol394 | 21-Jul-23 |
hbcxuypphrnk | 0.3.2 | pypi/xotifol394 | 20-Jul-23 |
dcrywkqddo | 0.4.3 | pypi/xotifol394 | 20-Jul-23 |
mjpoytwngddh | 0.3.2 | pypi/poyon95014 | 21-Jul-23 |
eeajhjmclakf | 0.3.2 | pypi/tiles77583 | 21-Jul-23 |
yocolor | 0.4.6 | pypi/felpes | 05-Mar-24 |
coloriv | 3.2 | pypi/felpes | 22-Nov-22 |
colors-it | 2.1.3 | pypi/felpes | 17-Nov-22 |
pylo-color | 1.0.3 | pypi/felpes | 15-Nov-22 |
type-color | 0.4 | felipefelpes | 01-Nov-22 |
Indicators of Compromise
The following IOCs, provided below by Checkmarx, are provided for community awareness and ingestion:
hxxps[:]//files[.]pythanhosted.org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.5.tar.gz
hxxps[:]//files[.]pypihosted.org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.6.tar.gz
hxxps://files[.]pypihosted[.]org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.3.tar.gz
162[.]248.101.215
pypihosted[.]org/version
162[.]248.100.217
162[.]248.100.117
0C1873196DBD88280F4D5CF409B7B53674B3ED85F8A1A28ECE9CAF2F98A71207
35AC61C83B85F6DDCF8EC8747F44400399CE3A9986D355834B68630270E669FB
C53B93BE72E700F7E0C8D5333ACD68F9DC5505FB5B71773CA9A8668B98A17BA8
