Multiple Python developers, including a maintainer of Top.gg, were infected with information-stealing malware after downloading a malicious clone of a highly popular tool, Checkmarx reports.
Called Colorama, the utility makes ANSI escape character sequences work on Windows and has more than 150 million monthly downloads.
To mount their supply chain attack, the hackers cloned the tool, inserted malicious code into it, and placed the malicious version on a fake mirror domain that relied on typosquatting to trick developers into mistaking it for the legitimate ‘files.pythonhosted.org’ mirror.
To spread the malware-laden package, the attackers created malicious repositories under their own accounts and hijacked high-profile accounts, including the GitHub account ‘editor-syntax’, a maintainer of the Top.gg search and discovery platform for Discord, which has a community of over 170,000 members.
Using the ‘editor-syntax’ account, the attackers contributed a malicious commit to the top-gg/python-sdk repository, adding instructions to download the malicious clone of Colorama, and starred malicious GitHub repositories to increase their visibility.
The account was likely hacked via stolen cookies, which the attackers used to bypass authentication and perform malicious activities without knowing the account’s password. Multiple members of the Top.gg community were compromised as result of this.
To conceal their nefarious activity in their malicious repositories, the attackers would simultaneously commit multiple files, including legitimate ones along with those containing the link to the cloned Colorama package, so that they would blend in with the legitimate dependencies.
“By manipulating the package installation process and exploiting the trust users place in the Python package ecosystem, the attacker ensured that the malicious ‘colorama’ package would be installed whenever the malicious dependency was specified in the project’s requirements,” Checkmarx notes.
To hide the malicious code in Colorama, the attackers added numerous white spaces, pushing the snippet off-screen, so it would not be noticeable during quick reviews of the source files. They also set the code to be executed every time Colorama was imported, regardless if it was used.
Once the malicious code was executed, the infection process continued with several additional steps, such as downloading and executing additional Python code, fetching necessary libraries, and setting up persistence.
In the end, the developers’ systems were infected with malware capable of logging keystrokes and stealing data from multiple browsers (including Brave, Chrome, Edge, Opera, Vivaldi, and Yandex), Discord, cryptocurrency wallets, Telegram sessions, Instagram, and computer files.
“The stolen data is exfiltrated to the attacker’s server using various techniques. The code includes functions to upload files to anonymous file-sharing services like GoFile and Anonfiles. It also sends the stolen information to the attacker’s server using HTTP requests,” Checkmarx notes.
Related: Watch Now: Supply Chain & Third-Party Risk Summit 2024
Related: Cyber Insights 2024: Supply Chain
Related: New Class of CI/CD Attacks Could Have Led to PyTorch Supply Chain Compromise
