Over 170,000 GitHub accounts of Python developers hacked in supply chain attack.

Home/BOTNET, Compromised, cyberattack, Exploitation, Internet Security, malicious cyber actors, Mobile Security, Security Advisory, Security Update/Over 170,000 GitHub accounts of Python developers hacked in supply chain attack.

Over 170,000 GitHub accounts of Python developers hacked in supply chain attack.

Over 170,000 users have been affected by a sophisticated attack targeting the Python software supply chain.

The Checkmarx Research team has discovered a multi-layered campaign exploiting fake Python infrastructure to disseminate malware, posing a significant security risk to numerous developers and organizations.

This article explores the attack campaign, its repercussions on victims, the tactics, techniques, and procedures (TTPs) used by the threat actors, and the key insights gleaned from Checkmarx’s investigation.

Supply chain attack

At the heart of this malicious campaign lies the attacker’s capability to amalgamate various tactics, techniques, and procedures (TTPs) to execute a stealthy assault on the software supply chain, with a specific focus on the Python ecosystem.

Through the creation of numerous malicious open-source tools accompanied by enticing descriptions, the attackers ensnared victims into their trap, predominantly through search engines.


The campaign’s sophistication is evident in distributing a malicious dependency hosted on a fake Python infrastructure, which was then linked to popular projects on GitHub and legitimate Python packages.

A chilling account from Mohammed Dief, a Python developer and one of the campaign’s victims, highlights the stealth and impact of the attack.

Dief encountered a suspicious error message while working on his laptop, the first sign of compromise, leading to the realization that his system had been hacked.

Among the notable victims of this campaign is the Top.gg GitHub organization, a community boasting over 170,000 members.

The attackers managed to hijack GitHub accounts with high reputations, including that of “editor-syntax,” a maintainer with write permissions to Top.gg’s repositories.

This allowed them to commit malicious acts and increase the visibility and credibility of their malicious repositories.

The attack’s impact is far-reaching, affecting individual developers and larger communities alike.

Social engineering schemes, account takeovers, and malicious packages published on the PyPi registry have underscored the software supply chain’s vulnerability to such sophisticated attacks.

The Checkmarx Research team has uncovered an attack campaign aimed at the software supply chain.

The campaign appears to have successfully exploited multiple victims.

Threat Actors And TTPs


They employed a range of TTPs, including:

  1. Account Takeover via Stolen Cookies: The attackers gained access to high-reputation GitHub accounts by stealing session cookies, bypassing the need for passwords.
  2. Publishing Malicious Packages: By setting up a custom Python mirror and publishing malicious packages to the PyPi registry, they could distribute malware under the guise of legitimate software.
  3. Social Engineering: The attackers used social engineering to trick users into downloading malicious dependencies, further spreading the malware.

By deploying a fake Python package mirror and utilizing typosquatting techniques, the attackers could deceive users and systems into downloading poisoned versions of popular packages like “Colorama.”

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 232
By | 2024-03-26T05:47:17+05:30 March 25th, 2024|BOTNET, Compromised, cyberattack, Exploitation, Internet Security, malicious cyber actors, Mobile Security, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!