New Supply Chain Attack Detection: Hackers Apply Multiple Tactics to Target GitHub Developers Using a Fake Python Infrastructure

Hackers employ diverse TTPs in a multi-stage software supply-chain campaign going after GitHub users, including members of the widely recognized Top.gg community, with over 170,000+ users falling prey to the offensive operations. Adversaries took advantage of a fake Python infrastructure, causing the full compromise of GitHub accounts, the publication of harmful Python packs, and the employment of social engineering tricks.

Detecting a Supply Chain Attack Against GitHub Developers

Supply chain attacks pose a significant challenge in today’s cybersecurity landscape, presenting a complex and elusive threat to organizations. To identify the malicious activity linked to the latest attack leveraging a fake Python infrastructure, SOC Prime Platform offers a set of relevant detection rules backed by advanced tools for threat hunting and detection engineering. 

Hit the Explore Detections button below and immediately drill down to a Sigma rules pack addressing the latest supply chain attack against Python developers on GitHub. All the rules are compatible with 28 SIEM, EDR, XDR, and Data Lake solutions and mapped to the MITRE ATT&CK framework to streamline the threat investigation. Additionally, detections are accompanied by extensive metadata, including detailed threat intelligence, attack timelines, and media references.

Explore Detections

Supply-Chain Attack Campaign Analysis Using a Fake Python Infrastructure

Defenders have uncovered a novel sophisticated supply chain attack that hits GitHub developers, including the members of a popular Top.gg community. According to the recent report by the Checkmarx, leveraging a wide range of adversary TTPs gave threat actors the green light to orchestrate advanced intrusions, evade detection, and impede defensive measures.

The malicious infrastructure involved a fraudulent resource that was disguised as a Python package mirror using a convincing typosquatting adversary technique. Adversaries duplicated a widely used utility dubbed Colorama and injected malicious strings into it. Hackers concealed a payload within the latter via space-padding techniques and hosted this altered version on their typosquatting-domain fake mirror, which posed increasing challenges for defenders to track the offensive activity. 

In addition to generating malicious repos via their own accounts, adversaries hijacked highly reputable GitHub ones and took advantage of the resources associated with those accounts to push harmful commits. 

Notably, to further remain under the radar, hackers adopted a tricky strategy when making tweaks to a set of weaponized repos. They committed an array of files, including those containing harmful links, alongside other legitimate files at the same time. This enabled adversaries to evade detection since the weaponized URLs would camouflage among the legitimate dependencies.

Apart from deploying the malicious samples via offensive GitHub repos, hackers also leveraged a harmful Python pack to expand the distribution of the Colorama ones with the malicious strain. Adversaries took advantage of a nasty technique to conceal the malicious payload within the code that was crafted to minimize the visibility of the harmful code during a brief review of the package’s source files.

The malware used in this offensive campaign is capable of siphoning a wide range of sensitive details from popular browsers. In addition, it infiltrates the Discord server to search for tokens that can be decrypted to access the victim’s account, steal financial details, retrieve Telegram session data, and exfiltrate computer files.

Due to the increased sophistication of similar offensive campaigns, like the most recent multi-stage attack affecting over 17,000 users and designed to spread malware via reputable PyPI and GitHub platforms, defenders are looking for ways to elevate cyber vigilance against such complex supply-chain attacks. Coordinating defensive efforts and peer-driven information exchange proves to be highly efficient in the ongoing fight against adversary capabilties. SOC Prime Platform for collective cyber defense based on global threat intelligence, crowdsourcing, zero-trust, and AI provides progressive organizations and individual users with a future-proof capability to proactively defend against attacks of any scale and sophistication.