Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Top Python Developers Hacked in Sophisticated Supply Chain Attack

Multiple Python developers get infected after downloading malware-packed clone of the popular tool Colorama.

Multiple Python developers, including a maintainer of Top.gg, were infected with information-stealing malware after downloading a malicious clone of a highly popular tool, Checkmarx reports.

Called Colorama, the utility makes ANSI escape character sequences work on Windows and has more than 150 million monthly downloads.

To mount their supply chain attack, the hackers cloned the tool, inserted malicious code into it, and placed the malicious version on a fake mirror domain that relied on typosquatting to trick developers into mistaking it for the legitimate ‘files.pythonhosted.org’ mirror.

To spread the malware-laden package, the attackers created malicious repositories under their own accounts and hijacked high-profile accounts, including the GitHub account ‘editor-syntax’, a maintainer of the Top.gg search and discovery platform for Discord, which has a community of over 170,000 members.

Using the ‘editor-syntax’ account, the attackers contributed a malicious commit to the top-gg/python-sdk repository, adding instructions to download the malicious clone of Colorama, and starred malicious GitHub repositories to increase their visibility.

The account was likely hacked via stolen cookies, which the attackers used to bypass authentication and perform malicious activities without knowing the account’s password. Multiple members of the Top.gg community were compromised as result of this.

To conceal their nefarious activity in their malicious repositories, the attackers would simultaneously commit multiple files, including legitimate ones along with those containing the link to the cloned Colorama package, so that they would blend in with the legitimate dependencies.

“By manipulating the package installation process and exploiting the trust users place in the Python package ecosystem, the attacker ensured that the malicious ‘colorama’ package would be installed whenever the malicious dependency was specified in the project’s requirements,” Checkmarx notes.

Advertisement. Scroll to continue reading.

To hide the malicious code in Colorama, the attackers added numerous white spaces, pushing the snippet off-screen, so it would not be noticeable during quick reviews of the source files. They also set the code to be executed every time Colorama was imported, regardless if it was used.

Once the malicious code was executed, the infection process continued with several additional steps, such as downloading and executing additional Python code, fetching necessary libraries, and setting up persistence.

In the end, the developers’ systems were infected with malware capable of logging keystrokes and stealing data from multiple browsers (including Brave, Chrome, Edge, Opera, Vivaldi, and Yandex), Discord, cryptocurrency wallets, Telegram sessions, Instagram, and computer files.

“The stolen data is exfiltrated to the attacker’s server using various techniques. The code includes functions to upload files to anonymous file-sharing services like GoFile and Anonfiles. It also sends the stolen information to the attacker’s server using HTTP requests,” Checkmarx notes.

Related: Watch Now: Supply Chain & Third-Party Risk Summit 2024

Related: Cyber Insights 2024: Supply Chain

Related: New Class of CI/CD Attacks Could Have Led to PyTorch Supply Chain Compromise

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Cody Barrow has been appointed the new CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.