Supply Chain Attack Strikes GitHub, Developers Targeted

The popular service, aiding users in finding servers and bots for Discord, suffered from a supply chain attack. Malefactors injected malicious code into Python packages used by bot developers, evidently aiming to steal sensitive data. The incident was detailed in a technical report by Checkmarx.

The assault was multifaceted:

  1. Malicious packages uploaded to PyPI: Starting from November 2022, attackers began deploying malicious packages on the PyPI platform, disguised as popular tools with enticing descriptions.
  2. A counterfeit Python package mirror: In early 2024, malefactors established a fake Python package mirror, simulating the genuine PyPI package file repository. This mirror hosted infected versions of legitimate packages, including the well-known “colorama”.
  3. Hacking the administrator account: In March 2024, hackers successfully breached the administrator account of the platform, which had extensive access rights to GitHub repositories. Using this account, cybercriminals added malicious commits to the platform’s python-sdk repository, specifically introducing dependencies on a tainted version of “colorama” and other malicious repositories to enhance their visibility.

The malicious code was capable of extensive data theft:

  • Browser data: logins, passwords, browsing history, autofill information, cookies, and credit card data from browsers including Opera, Chrome, Brave, Vivaldi, Yandex, and Edge.
  • Discord tokens: the malware could gain unauthorized access to Discord accounts, stealing tokens from respective folders.
  • Cryptocurrency wallets: the program scanned the system for cryptocurrency wallet files and transmitted them to the attackers’ server.
  • Telegram data: the malware attempted to steal Telegram session data for unauthorized access to accounts and conversations.
  • User files: the malware could steal files from the desktop, downloads, documents, and recently opened files based on specific keywords.
  • Instagram data*: the program used stolen Instagram session tokens to retrieve account information via the Instagram API.
  • Keystrokes: the malware recorded the user’s keystrokes, potentially revealing passwords and other confidential information.

Stolen data was sent to the attackers’ server through various methods:

  • Via HTTP requests with unique identifiers (hardware ID, IP address);
  • Through anonymous file-sharing services (GoFile, Anonfiles).

The precise number of affected users remains unknown. However, this attack once again underscores the importance of security verification for components used in software development.