Over 170,000 users have been affected by a sophisticated attack targeting the Python software supply chain.
The Checkmarx Research team has discovered a multi-layered campaign exploiting fake Python infrastructure to disseminate malware, posing a significant security risk to numerous developers and organizations.
This article explores the attack campaign, its repercussions on victims, the tactics, techniques, and procedures (TTPs) used by the threat actors, and the key insights gleaned from Checkmarx’s investigation.
Supply chain attack
At the heart of this malicious campaign lies the attacker’s capability to amalgamate various tactics, techniques, and procedures (TTPs) to execute a stealthy assault on the software supply chain, with a specific focus on the Python ecosystem.
Through the creation of numerous malicious open-source tools accompanied by enticing descriptions, the attackers ensnared victims into their trap, predominantly through search engines.
The campaign’s sophistication is evident in distributing a malicious dependency hosted on a fake Python infrastructure, which was then linked to popular projects on GitHub and legitimate Python packages.
A chilling account from Mohammed Dief, a Python developer and one of the campaign’s victims, highlights the stealth and impact of the attack.
Dief encountered a suspicious error message while working on his laptop, the first sign of compromise, leading to the realization that his system had been hacked.
Among the notable victims of this campaign is the Top.gg GitHub organization, a community boasting over 170,000 members.
The attackers managed to hijack GitHub accounts with high reputations, including that of “editor-syntax,” a maintainer with write permissions to Top.gg’s repositories.
This allowed them to commit malicious acts and increase the visibility and credibility of their malicious repositories.
The attack’s impact is far-reaching, affecting individual developers and larger communities alike.
Social engineering schemes, account takeovers, and malicious packages published on the PyPi registry have underscored the software supply chain’s vulnerability to such sophisticated attacks.
The Checkmarx Research team has uncovered an attack campaign aimed at the software supply chain.
The campaign appears to have successfully exploited multiple victims.
Threat Actors And TTPs
They employed a range of TTPs, including:
- Account Takeover via Stolen Cookies: The attackers gained access to high-reputation GitHub accounts by stealing session cookies, bypassing the need for passwords.
- Publishing Malicious Packages: By setting up a custom Python mirror and publishing malicious packages to the PyPi registry, they could distribute malware under the guise of legitimate software.
- Social Engineering: The attackers used social engineering to trick users into downloading malicious dependencies, further spreading the malware.
By deploying a fake Python package mirror and utilizing typosquatting techniques, the attackers could deceive users and systems into downloading poisoned versions of popular packages like “Colorama.”
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment