The Information Highway

The Information Highway
Font size: +
  Print
2 minutes reading time (394 words)

GitHub supply chain attack

93 Hits

Threat update

Malicious actors have launched a software supply chain attack targeting developers on the GitHub platform. LBT Technology Group, LLC. recommends taking proactive measures detailed in this Cybersecurity Threat Advisory to mitigate the risk. 

Technical Detail and Additional Info

What is the threat?

A variety of techniques were used to launch this attack including leveraging stolen browser cookies to take over accounts and contributing malicious code with verified commits on GitHub. This also involved setting up a custom Python mirror and publishing malicious packages to the PyPI (Python Package Index) registry, linking it to popular projects on GitHub. Typo squatting was used to disguise the malicious Python package mirror register as "files[.]pypihosted[.]org," which closely resembles the official Python mirror, "files.pythonhosted.org." This is where official artifact files of PyPI packages normally live.

This technique led to the deployment of a tampered copy of Colorama, a package used by developers to add color and style to text in terminal outputs. The threat actors were able to initiate a silent software supply chain attack that stole passwords, credentials, and other data from infected systems targeting developers. 

Why is it noteworthy?

Millions of people use GitHub and Colorama which increases the potential impact of this supply chain attack. Unauthorized code changes can have detrimental impacts as well.

What is the exposure or risk?

The malicious resources can steal a wide variety of information, including data from browsers such as Edge, Chrome, Opera, and Yandex. The data includes autofill information, cookies, credit cards, login credentials, and browsing history. This can also get into Discord, looking for tokens that it can decrypt to gain access to the victim's account and steal cryptocurrency wallets, grab Telegram data, and exfiltrate computer files. It also looks to steal sensitive information from Instagram files using a session token and can log victims' keystrokes, exposing information like passwords, personal messages, and financial details.

What are the recommendations?

LBT Technology Group, LLC. recommends the following actions to limit the impact of this supply chain attack:

  • Verify dependencies and resources before interacting with them.
  • Monitor for suspicious network activity.
  • Maintain a proper security posture to mitigate the risk and impact of this attack.

References

 For more in-depth information about the recommendations, please visit the following links:


If you have any questions, please contact LBT's Sales Engineer.


0
How do you feel about this post?
Happy (0)
Love (0)
Surprised (0)
Sad (0)
Angry (0)
Tags:
move block Malicious actors software supply chain attack developers GitHub platform
TA558 phishing campaign
AWS 'FlowFixation' vulnerabiltiy

About the author

LBT Technology Group, LLC.

LBT Technology Group, LLC.

We’re a Managed IT Services Provider that eliminates your pain points by optimizing your technology. One of the things that make us uniquely different is the focus we allocate to mitigating the cybersecurity risk to the confidentiality, integrity, and availability of your sensitive data. As a company, we believe that service to others is essential as we navigate our ever-evolving cyber society. Using our unique "Layered Risk Management" framework, we identify attack vectors, classify and mitigate your cybersecurity risk, as well as optimize the environment.
Author's recent posts
More posts from author

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Thursday, 02 May 2024

Captcha Image