A platform called Top.gg that’s used to publish bots for the popular Discord chat app recently had one of its GitHub repositories poisoned with malicious code as part of a larger software supply chain attack. The incident highlights the snowball effect that even one malicious package dependency could have in the larger open-source ecosystem.
“This campaign is a prime example of the sophisticated tactics employed by malicious actors to distribute malware through trusted platforms like PyPI and GitHub,” researchers from application and supply chain security firm Checkmarx said in an analysis of the attack. “This incident highlights the importance of vigilance when installing packages and repositories even from trusted sources. It is crucial to thoroughly vet dependencies, monitor for suspicious network activity, and maintain robust security practices to mitigate the risk of falling victim to such attacks.”
The attackers used a combination of malware delivery techniques, from publishing rogue packages to PyPI, the main public registry for Python packages, to setting up rogue repositories on GitHub and using code obfuscation and typosquatting to avoid detection. The end goal was to deploy a trojan program designed to steal login information and authentication tokens from browsers and other applications installed on the compromised systems.
The compromised credentials gave attackers access to GitHub accounts belonging to developers, which then allowed them to inject a malicious dependency into legitimate repositories. One example was a repository belonging to Top.gg, a Discord bot publishing platform whose community includes over 170,000 users.
Using padding to hide malicious code
The attackers chose to trojanize a legitimate Python package called Colorama that has over 150 million monthly downloads because they hoped its popularity will not raise suspicions when it’s downloaded as a dependency for other packages. They then inserted a malicious function in the package’s init.py file which is used by the pip package manager when the package is installed. However, to make the malicious code harder to notice by anyone opening the file in a code editor, they added empty spaces before the function to push it out of the screen’s view.
To take their deception further, they registered a domain name called pypihosted.org and stored the file rogue variant on the files.pypihosted.org subdomain. Legitimate packages uploaded and listed on PyPI will be hosted and downloaded from a subdomain called files.pythonhosted.org. By creating a similar sounding domain like pypihosted.org, the attackers hoped that when they add their malicious package as a dependency to other packages it will be harder to notice.
Multiple malware distribution methods
One method to distribute their trojanized Coloroma package was to publish other packages on PyPI that would specify it as a dependency and would download it during the installation process. Packages that the Checkmarx researchers identified included yocolor, coloriv, colors-it, pylo-color, and others with random looking names. While yocolor was published in March, some of these packages go back as far back as November 2022, suggesting this campaign has been going on in different variations for a long time and the hackers behind it have gained a lot of experience.
A second distribution method was to also set up GitHub repositories under different identities and insert the rogue Colorama package as a dependency to them. One example was documented earlier this month by backend developer and cybersecurity researcher Mohammed Dief, who had his own system compromised after installing code from a repository called Valorant-Checker.
Dief tracked down the rogue Colorama version in the project’s requirements.txt as well as the domain name it was downloaded from. He then searched all GitHub projects for mentions of files.pypihosted.org and identified others that were either set up by the attackers or were poisoned. Amongst them was one called top-gg/python-sdk which is the official repository for a Python library for developers to interact with the Top.gg API.
Credential theft leads to repository poisoning
According to an analysis by Checkmarx, the python-sdk Top.gg repository had the malicious code committed from a GitHub account called editor-syntax. This is a legitimate account that belongs to the Top.gg maintainer and he was unaware that his account was compromised and was used to contribute malicious code. Other developers alerted Dief to the malware via the Top.gg community Discord server and the commits took him by surprise.
“The GitHub account of ‘editor-syntax’ was likely hijacked through stolen cookies,” the Checkmarx researchers said. “The attacker gained access to the account’s session cookies, allowing them to bypass authentication and perform malicious activities using the GitHub UI. This method of account takeover is particularly concerning, as it does not require the attacker to know the account’s password.”
While the full attack chain that resulted in editor-syntax’s account being compromised is not known, it’s probably no coincidence that the end goal of the malicious Coloroma package is to install an information stealing trojan on systems. The installation happens in multiple stages that involve Python scripts being downloaded from different attacker-controlled servers and then executed on the system. The code is obfuscated using multiple techniques including using Chinese and Japanese character strings, zlib compression and misleading variable names.
The trojan deployed on the system has a wide range of data theft capabilities. It searches for specific directories inside the Opera, Chrome, Brave, Vivaldi, Yandex and Edge browsers and extracts authentication cookies, autofill information, browsing history, bookmarks, credit card information and login credentials.
The trojan also attempts to steal files associated with cryptocurrency wallets, Discord tokens that can provide access to Discord accounts, Telegram session tokens, computer files with specific keywords in their names, Instagram account details. The malware also has a keylogger component that captures the victim’s keystrokes and uploads them to the command-and-control server.
It’s safe to assume that if any of the stolen credentials or access tokens provide attackers with access to GitHub accounts with commit privileges to different repositories, they will try to abuse those privileges to further distribute their trojan. Unfortunately, these compromises might not be easy to spot.
The Checkmarx researchers point out that when they added their rogue Coloroma package to a project’s requirements.txt file, the commits also included legitimate code contributions and changes. In fact, their rogue repositories hosted copies of legitimate and functional projects.
In fact, after the pypihosted.org domain was reported and taken down, one user opened a bug ticket on one of the rogue repositories to report that he was getting an error related to pypihosted.org being down when trying to install it. This shows how convincing these attacks can be and the snowball effect they can have on the ecosystem, especially if developers from legitimate projects have their accounts hijacked as a result.