March 25, 2024 at 08:00AM
Python developers, including a maintainer of Top.gg, were targeted by information-stealing malware. Attackers cloned and inserted malicious code into Colorama, a widely-used tool, and spread it through fake mirror domains and compromised repositories. The malware invaded systems, stealing data and executing additional harmful actions, impacting multiple browsers and platforms.
Key takeaways from the meeting notes:
– Multiple Python developers, including a maintainer of Top.gg, were infected by information-stealing malware after downloading a malicious clone of the popular tool Colorama.
– The attackers used a supply chain attack by cloning the tool, inserting malicious code, and placing the fake version on a domain using typosquatting.
– They spread the malware-laden package by creating malicious repositories under their own accounts and hijacking high-profile accounts, such as the GitHub account ‘editor-syntax’.
– The ‘editor-syntax’ account was likely hacked via stolen cookies to bypass authentication and contribute a malicious commit to the top-gg/python-sdk repository.
– The attackers manipulated the package installation process and exploited trust in the Python package ecosystem to ensure the malicious ‘colorama’ package would be installed whenever the malicious dependency was specified.
– The attackers concealed the malicious code in Colorama by adding white spaces, pushing the snippet off-screen. Once executed, the malicious code infected developers’ systems capable of logging keystrokes and stealing data from various applications.
– The stolen data was exfiltrated to the attacker’s server using various techniques, including uploading files to anonymous file-sharing services and sending information via HTTP requests.
Additionally, the meeting notes included references to related events and insights on supply chain and third-party risk.