Supply Chain Attack Strikes GitHub, Developers Targeted

The popular service Top.gg, aiding users in finding servers and bots for Discord, suffered from a supply chain attack. Malefactors injected malicious code into Python packages used by bot developers, evidently aiming to steal sensitive data. The incident was detailed in a technical report by Checkmarx.

The assault was multifaceted:

  1. Malicious packages uploaded to PyPI: Starting from November 2022, attackers began deploying malicious packages on the PyPI platform, disguised as popular tools with enticing descriptions.
  2. A counterfeit Python package mirror: In early 2024, malefactors established a fake Python package mirror, simulating the genuine PyPI package file repository. This mirror hosted infected versions of legitimate packages, including the well-known “colorama”.
  3. Hacking the Top.gg administrator account: In March 2024, hackers successfully breached the administrator account of the Top.gg platform, which had extensive access rights to GitHub repositories. Using this account, cybercriminals added malicious commits to the Top.gg platform’s python-sdk repository, specifically introducing dependencies on a tainted version of “colorama” and other malicious repositories to enhance their visibility.

The malicious code was capable of extensive data theft:

  • Browser data: logins, passwords, browsing history, autofill information, cookies, and credit card data from browsers including Opera, Chrome, Brave, Vivaldi, Yandex, and Edge.
  • Discord tokens: the malware could gain unauthorized access to Discord accounts, stealing tokens from respective folders.
  • Cryptocurrency wallets: the program scanned the system for cryptocurrency wallet files and transmitted them to the attackers’ server.
  • Telegram data: the malware attempted to steal Telegram session data for unauthorized access to accounts and conversations.
  • User files: the malware could steal files from the desktop, downloads, documents, and recently opened files based on specific keywords.
  • Instagram data*: the program used stolen Instagram session tokens to retrieve account information via the Instagram API.
  • Keystrokes: the malware recorded the user’s keystrokes, potentially revealing passwords and other confidential information.

Stolen data was sent to the attackers’ server through various methods:

  • Via HTTP requests with unique identifiers (hardware ID, IP address);
  • Through anonymous file-sharing services (GoFile, Anonfiles).

The precise number of affected users remains unknown. However, this attack once again underscores the importance of security verification for components used in software development.