Researchers at application security testing firm Checkmarx Ltd. today detailed a recently discovered software supply chain attack that targeted Top.gg, a popular search and discovery platform for Discord servers, bots and other social tools, along with individual developers on GitHub.

The threat actors gained access using multiple tactics, techniques and procedures, including account takeover via stolen browser cookies, contributing malicious code with verified commits, setting up a custom Python mirror and publishing malicious packages to the PyPi registry. The net result was a silent software supply chain attack, stealing sensitive information from victims.

The activities of the attackers included distributing a dependency hosted on a fake Python infrastructure and linking it to popular projects on GitHub and legitimate Python packages. Doing so allowed GitHub accounts to be taken over and malicious Python packages to be published.

The attackers used a typosquat of the official PyPi domain known as “files.pythonhosted.org,” giving it the name “files.pypihosted.org.” With the fake domain name, the attackers tricked users into downloading malicious versions of well-known packages such as Colorama.

“The threat actors took Colorama (a highly popular tool with 150+ million monthly downloads), copied it and inserted malicious code,” the Checkmarx researchers explained. “They then concealed the harmful payload within Colorama using space padding and hosted this modified version on their typosquatted-domain fake mirror.”

The strategy, they added, makes it “considerably more challenging to identify the package’s harmful nature with the naked eye, as it initially appears to be a legitimate dependency.”

The attackers also managed to extend their reach beyond creating malicious repositories by hijacking GitHub accounts with high reputations and then using the resources under those accounts to contribute malicious commits. One of the victims was the GitHub account “editor-syntax,” who is also a maintainer of Top.gg GitHub group and has write permissions to Top.gg’s git repositories.

With control over the account, the attackers made a malicious commit to the top-gg/python-sdk repository using the stolen identity of editor-syntax. They added instructions to download the poisoned version of Colorama from their fake Python mirror to the requirements.txt instructions. They also used the stolen account to start multiple malicious GitHub repositories to increase their visibility and credibility.

The researchers conclude that the incident highlights the importance of vigilance when installing packages and repositories, even from trusted sources.

Jason Kent, hacker in residence at application programming interface security startup Cequence Security Inc., told SiliconANGLE that “these new supply chain attacks are becoming increasingly creative and showing that attackers have all the time in the world to attack code, infrastructure, users and whatever they like.”

“This attack was sophisticated in nature and is looking to create havoc on systems that users are accessing daily,” Kent added. “Imagine if all of your passwords, API Keys and session tokens were hijacked at the same time and the attackers drained your bank account, deleted your work and left a system that isn’t functioning. Be prepared, logout of your systems when you are done, don’t store API Keys and make sure your authentication artifacts are as ephemeral as possible.”

Image: DALL-E 3