A recent malware campaign against Python developers is the latest example of the craftiness and resourcefulness of attackers who target the software supply chain, according to cybersecurity researchers. Victims of the “far-reaching” operation included individual developers who publicly wrote about their incidents, as well as members of Top.gg — a community for people who create bots for the Discord messaging system — analysts at cybersecurity firm Checkmarx reported Monday. The malware’s goal is to steal information, including browser data, cryptocurrency wallet files, access to messaging apps and more, Checkmarx said. The researchers noted that Top.gg has about 170,000 members. The attackers essentially rigged online infrastructure so that developers using Python — a versatile and popular programming language — would unknowingly download malware as they gathered pieces of existing code to integrate into projects. Among the compromised open-source tools was the Top.gg community’s repository on GitHub, the researchers said. The attackers also uploaded malicious packages — samples of useful code — to PyPI, a registry used by Python developers. “One of the victims is the GitHub account editor-syntax who is also a maintainer of [Top.gg’s GitHub] and has write permissions to Top.gg’s git repositories,” Checkmarx said. In that case, the attackers appeared to get access to the user’s session cookies — a method that is “particularly concerning, as it does not require the attacker to know the account's password.” Part of the operation was a poisoned version of Colorama, “a highly popular tool with 150+ million monthly downloads” that allows developers to adjust the color of text, the researchers said. Once a person’s computer is breached, the “multi-stage and evasive malicious payload harvests passwords, credentials, and more dumps of valuable data from infected systems and exfiltrates them to the attacker’s infrastructure,” Checkmarx said. Information-stealing malware is frequently spotted in repositories and libraries. Recently researchers from Phylum tracked an example called NovaSentinel, and Japan’s national computer security agency attributed some malicious PyPI packages to North Korean state-backed hackers.
Get more insights with the
Recorded Future
Intelligence Cloud.
Joe Warminsky
is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.