Malicious Attack Strikes Over 170,000 Top.gg Users Through Fake Python Infrastructure
In Brief
Top.gg GitHub organization 170,000 user community was targeted by malicious actors in an attack on the software supply chain.
Top.gg GitHub organization community, comprising over 170,000 members, was targeted by malicious actors in an attack on the software supply chain with evidence suggesting successful exploitation, impacting multiple victims.
On March 3rd, users brought to the attention of “editor-syntax” on the community’s Discord chat about suspicious activities linked to his account. “editor-syntax” was shocked upon discovering the situation through his GitHub account. It became apparent that the malware had affected numerous individuals, highlighting the extent and impact of the attack.
The threat actors employed various Tactics, Techniques, and Procedures (TTPs) in this attack, which included account takeover through pilfered browser cookies, inserting malicious code with verified commits, establishing a customized Python mirror, and uploading malicious packages to the PyPi registry.
Notably, the attack infrastructure encompassed a website designed to mimic a Python package mirror, registered under the domain “files[.]pypihosted[.]org”–the domain targeting the official Python mirror, “files.pythonhosted.org,” the usual repository for storing PyPi package artifact files. The threat actors also took Colorama, a widely used tool with over 150 million monthly downloads, by duplicating it and injecting malicious code. They obscured the harmful payload within Colorama by using space padding and hosted this altered version on their typosquatted-domain fake mirror. Furthermore, attackers’ reach went beyond creating malicious repositories through their accounts. They hijacked GitHub accounts with high reputations and utilized the resources associated with those accounts to make malicious commits.
In addition to spreading the malware through malicious GitHub repositories, the attackers also utilized a malicious Python package, “yocolor,” to distribute the “colorama” package containing the malware. Employing the same typosquatting technique, bad actors hosted the malicious package on the domain “files[.]pypihosted[.]org” and used an identical name to the legitimate “colorama” package.
By manipulating the package installation process and exploiting the trust users place in the Python package ecosystem, the attacker ensured that the malicious “colorama” package would be installed whenever the malicious dependency was specified in the project’s requirements. This tactic allowed the attacker to bypass suspicions and infiltrate the systems of unsuspecting developers who relied on the integrity of the Python packaging system.
SlowMist CISO Reveals Malware’s Extensive Data Extraction from Popular Applications
According to SlowMist Chief Information Security Officer “23pds”, the malware targeted many popular software applications, extracting sensitive data such as cryptocurrency wallet information, Discord data, browser data, Telegram sessions, and more.
Containing the list of cryptocurrency wallets targeted for theft from the victim’s system, the malware scanned for directories linked to each wallet and endeavored to extract wallet-related files. Subsequently, the pilfered wallet data was compressed into ZIP files and transmitted to the attacker’s server.
The malware also attempted to steal messaging application Telegram session data by scanning for directories and files linked to Telegram. By obtaining access to Telegram sessions, the attacker might have gained unauthorized entry into the victim’s Telegram account and communications.
This campaign exemplifies the sophisticated tactics malicious actors use to distribute malware through trusted platforms such as PyPI and GitHub. The recent Top.gg incident highlights the significance of vigilance when installing packages and repositories, even from reputable sources.
Disclaimer
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.About The Author
Alisa is a reporter for the Metaverse Post. She focuses on investments, AI, metaverse, and everything related to Web3. Alisa has a degree in Business of Art and expertise in Art & Tech. She has developed her passion for journalism through writing for VCs, notable crypto projects, and scientific writing. You can contact her at alisa@mpost.io
More articles
Alisa is a reporter for the Metaverse Post. She focuses on investments, AI, metaverse, and everything related to Web3. Alisa has a degree in Business of Art and expertise in Art & Tech. She has developed her passion for journalism through writing for VCs, notable crypto projects, and scientific writing. You can contact her at alisa@mpost.io
