BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Top Python Developers Hacked in Sophisticated Supply Chain Attack

Multiple Python developers get infected after downloading malware-packed clone of the popular tool Colorama.

Multiple Python developers, including a maintainer of Top.gg, were infected with information-stealing malware after downloading a malicious clone of a highly popular tool, Checkmarx reports.

Called Colorama, the utility makes ANSI escape character sequences work on Windows and has more than 150 million monthly downloads.

To mount their supply chain attack, the hackers cloned the tool, inserted malicious code into it, and placed the malicious version on a fake mirror domain that relied on typosquatting to trick developers into mistaking it for the legitimate ‘files.pythonhosted.org’ mirror.

To spread the malware-laden package, the attackers created malicious repositories under their own accounts and hijacked high-profile accounts, including the GitHub account ‘editor-syntax’, a maintainer of the Top.gg search and discovery platform for Discord, which has a community of over 170,000 members.

Using the ‘editor-syntax’ account, the attackers contributed a malicious commit to the top-gg/python-sdk repository, adding instructions to download the malicious clone of Colorama, and starred malicious GitHub repositories to increase their visibility.

The account was likely hacked via stolen cookies, which the attackers used to bypass authentication and perform malicious activities without knowing the account’s password. Multiple members of the Top.gg community were compromised as result of this.

To conceal their nefarious activity in their malicious repositories, the attackers would simultaneously commit multiple files, including legitimate ones along with those containing the link to the cloned Colorama package, so that they would blend in with the legitimate dependencies.

“By manipulating the package installation process and exploiting the trust users place in the Python package ecosystem, the attacker ensured that the malicious ‘colorama’ package would be installed whenever the malicious dependency was specified in the project’s requirements,” Checkmarx notes.

Advertisement. Scroll to continue reading.

To hide the malicious code in Colorama, the attackers added numerous white spaces, pushing the snippet off-screen, so it would not be noticeable during quick reviews of the source files. They also set the code to be executed every time Colorama was imported, regardless if it was used.

Once the malicious code was executed, the infection process continued with several additional steps, such as downloading and executing additional Python code, fetching necessary libraries, and setting up persistence.

In the end, the developers’ systems were infected with malware capable of logging keystrokes and stealing data from multiple browsers (including Brave, Chrome, Edge, Opera, Vivaldi, and Yandex), Discord, cryptocurrency wallets, Telegram sessions, Instagram, and computer files.

“The stolen data is exfiltrated to the attacker’s server using various techniques. The code includes functions to upload files to anonymous file-sharing services like GoFile and Anonfiles. It also sends the stolen information to the attacker’s server using HTTP requests,” Checkmarx notes.

Related: Watch Now: Supply Chain & Third-Party Risk Summit 2024

Related: Cyber Insights 2024: Supply Chain

Related: New Class of CI/CD Attacks Could Have Led to PyTorch Supply Chain Compromise

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights