March 25, 2024 at 02:06PM
A supply-chain attack has targeted the Top.gg Discord bot community of over 170,000 members, aiming to distribute malware for data theft and monetization. An attacker used various tactics, including hijacking accounts and creating fake Python packages, leading to compromised systems and data theft. This underscores the risks in the open-source supply chain and the need for developer security.
Based on the meeting notes, the Top.gg Discord bot community with over 170,000 members has been targeted in a supply-chain attack aimed at delivering malware to steal sensitive information. Checkmarx researchers discovered the campaign, which involved tactics such as hijacking GitHub accounts, distributing malicious Python packages, setting up a fake Python infrastructure, and social engineering.
The attacker’s activity dates back to November 2022, when they first uploaded malicious packages on the Python Package Index (PyPI). Subsequently, they set up a fake Python package mirror to host poisoned versions of legitimate packages and compromised systems through poisoned dependencies. In March 2024, the attacker compromised a maintainer account on top.gg and made malicious commits to the platform’s GitHub repositories, aiming to increase visibility and credibility.
The final payload of the malware establishes persistence on compromised machines, steals various types of data including browser data, Discord tokens, cryptocurrency wallet files, Telegram session data, Instagram session tokens, and files based on specific keywords. The stolen data is sent to the command and control server via HTTP requests and uploaded to file-hosting services. The number of users impacted by this campaign is unknown.
The report from Checkmarx underscores the risks associated with the open-source supply chain and emphasizes the importance of developers assessing the security of their building blocks.