News Report Technology
March 26, 2024

Malicious Attack Strikes Over 170,000 Top.gg Users Through Fake Python Infrastructure

In Brief

Top.gg GitHub organization 170,000 user community was targeted by malicious actors in an attack on the software supply chain

Malicious Attack Strikes Over 170,000 Top.gg Users Through Fake Python Infrastructure

Top.gg GitHub organization community, comprising over 170,000 members, was targeted by malicious actors in an attack on the software supply chain with evidence suggesting successful exploitation, impacting multiple victims.

On March 3rd, users brought to the attention of “editor-syntax” on the community’s Discord chat about suspicious activities linked to his account. “editor-syntax” was shocked upon discovering the situation through his GitHub account. It became apparent that the malware had affected numerous individuals, highlighting the extent and impact of the attack.

The threat actors employed various Tactics, Techniques, and Procedures (TTPs) in this attack, which included account takeover through pilfered browser cookies, inserting malicious code with verified commits, establishing a customized Python mirror, and uploading malicious packages to the PyPi registry.

Notably, the attack infrastructure encompassed a website designed to mimic a Python package mirror, registered under the domain “files[.]pypihosted[.]org”–the domain targeting the official Python mirror, “files.pythonhosted.org,” the usual repository for storing PyPi package artifact files. The threat actors also took Colorama, a widely used tool with over 150 million monthly downloads, by duplicating it and injecting malicious code. They obscured the harmful payload within Colorama by using space padding and hosted this altered version on their typosquatted-domain fake mirror. Furthermore, attackers’ reach went beyond creating malicious repositories through their accounts. They hijacked GitHub accounts with high reputations and utilized the resources associated with those accounts to make malicious commits. 

In addition to spreading the malware through malicious GitHub repositories, the attackers also utilized a malicious Python package, “yocolor,” to distribute the “colorama” package containing the malware. Employing the same typosquatting technique, bad actors hosted the malicious package on the domain “files[.]pypihosted[.]org” and used an identical name to the legitimate “colorama” package.

By manipulating the package installation process and exploiting the trust users place in the Python package ecosystem, the attacker ensured that the malicious “colorama” package would be installed whenever the malicious dependency was specified in the project’s requirements. This tactic allowed the attacker to bypass suspicions and infiltrate the systems of unsuspecting developers who relied on the integrity of the Python packaging system.

According to SlowMist Chief Information Security Officer “23pds”, the malware targeted many popular software applications, extracting sensitive data such as cryptocurrency wallet information, Discord data, browser data, Telegram sessions, and more.

Containing the list of cryptocurrency wallets targeted for theft from the victim’s system, the malware scanned for directories linked to each wallet and endeavored to extract wallet-related files. Subsequently, the pilfered wallet data was compressed into ZIP files and transmitted to the attacker’s server.

The malware also attempted to steal messaging application Telegram session data by scanning for directories and files linked to Telegram. By obtaining access to Telegram sessions, the attacker might have gained unauthorized entry into the victim’s Telegram account and communications.

This campaign exemplifies the sophisticated tactics malicious actors use to distribute malware through trusted platforms such as PyPI and GitHub. The recent Top.gg incident highlights the significance of vigilance when installing packages and repositories, even from reputable sources. 

Disclaimer

In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.

About The Author

Alisa is a reporter for the Metaverse Post. She focuses on investments, AI, metaverse, and everything related to Web3. Alisa has a degree in Business of Art and expertise in Art & Tech. She has developed her passion for journalism through writing for VCs, notable crypto projects, and scientific writing. You can contact her at alisa@mpost.io

More articles
Alisa Davidson
Alisa Davidson

Alisa is a reporter for the Metaverse Post. She focuses on investments, AI, metaverse, and everything related to Web3. Alisa has a degree in Business of Art and expertise in Art & Tech. She has developed her passion for journalism through writing for VCs, notable crypto projects, and scientific writing. You can contact her at alisa@mpost.io

Hot Stories

Top Investment Projects of the Week 25-29.03

by Viktoriia Palchik
March 29, 2024
Join Our Newsletter.
Latest News

Custom HTML

by Valentin Zamarin
August 08, 2024

Top Investment Projects of the Week 25-29.03

by Viktoriia Palchik
March 29, 2024

Supply and Demand Zones

Cryptocurrency, like any other currency, is a financial instrument based on the fundamental economic principles of supply ...

Know More

Top 10 Crypto Wallets in 2024

With the current fast-growing crypto market, the significance of reliable and secure wallet solutions cannot be emphasized ...

Know More
Read More
Read more
Custom HTML
News Report
Custom HTML
August 8, 2024
Modular Blockchain Sophon Raises $10M Funding from Paper Ventures and Maven11 Amid Veil of Mystery
Business News Report
Modular Blockchain Sophon Raises $10M Funding from Paper Ventures and Maven11 Amid Veil of Mystery
March 29, 2024
Arbitrum Foundation Announces Third Phase Of Grants Program, Opens Applications From April 15th
News Report Technology
Arbitrum Foundation Announces Third Phase Of Grants Program, Opens Applications From April 15th
March 29, 2024
Top Investment Projects of the Week 25-29.03
Digest Technology
Top Investment Projects of the Week 25-29.03
March 29, 2024