Threat update
Malicious actors have launched a software supply chain attack targeting developers on the GitHub platform. LBT Technology Group, LLC. recommends taking proactive measures detailed in this Cybersecurity Threat Advisory to mitigate the risk.
Technical Detail and Additional Info
What is the threat?
A variety of techniques were used to launch this attack including leveraging stolen browser cookies to take over accounts and contributing malicious code with verified commits on GitHub. This also involved setting up a custom Python mirror and publishing malicious packages to the PyPI (Python Package Index) registry, linking it to popular projects on GitHub. Typo squatting was used to disguise the malicious Python package mirror register as "files[.]pypihosted[.]org," which closely resembles the official Python mirror, "files.pythonhosted.org." This is where official artifact files of PyPI packages normally live.
This technique led to the deployment of a tampered copy of Colorama, a package used by developers to add color and style to text in terminal outputs. The threat actors were able to initiate a silent software supply chain attack that stole passwords, credentials, and other data from infected systems targeting developers.
Why is it noteworthy?
Millions of people use GitHub and Colorama which increases the potential impact of this supply chain attack. Unauthorized code changes can have detrimental impacts as well.
What is the exposure or risk?
The malicious resources can steal a wide variety of information, including data from browsers such as Edge, Chrome, Opera, and Yandex. The data includes autofill information, cookies, credit cards, login credentials, and browsing history. This can also get into Discord, looking for tokens that it can decrypt to gain access to the victim's account and steal cryptocurrency wallets, grab Telegram data, and exfiltrate computer files. It also looks to steal sensitive information from Instagram files using a session token and can log victims' keystrokes, exposing information like passwords, personal messages, and financial details.
What are the recommendations?
LBT Technology Group, LLC. recommends the following actions to limit the impact of this supply chain attack:
- Verify dependencies and resources before interacting with them.
- Monitor for suspicious network activity.
- Maintain a proper security posture to mitigate the risk and impact of this attack.
References
For more in-depth information about the recommendations, please visit the following links:
- https://securityboulevard.com/2024/03/complex-supply-chain-attack-targets-github-developers/
- https://medium.com/@demonia/discovering-malwares-in-public-github-repositories-3e080f030ecc
- https://www.theregister.com/2024/03/25/python_package_malware/
If you have any questions, please contact LBT's Sales Engineer.