Python supply chain exploited to distribute malware

A Python coding community is undergoing a software supply-chain attack, with threat actors targeting the 170,000-strong Top.gg GitHub organisation with malware.

Top.gg began life as Discord Bots, promoting the work of developers in the Discord ecosystem and hosting millions of bots.

Once Top.gg members were infected, data stolen included browser data such as cookies, autofills, history, bookmarks, credit cards and login credentials from Opera, Chrome, Brave, Vivaldi, Yandex, and Edge; Discord data including Discord tokens, which if decrypted would give the attackers access to a victim’s account.

Cryptocurrency wallets, Telegram session data, Instagram data, and files on the victim’s computer were also targeted for theft.

According to Checkmarx, Top.gg as well as some individual developers were targeted by the miscreants, whose approaches included “account takeover via stolen browser cookies, contributing malicious code with verified commits, setting up a custom Python mirror, and publishing malicious packages to the PyPi registry”.

The attackers’ main aim was to distribute malware-infected software via PyPi, which has been similarly attacked before – in May 2022, August 2022, and January 2023.

The attack was multi-faceted. As Checkmarx noted, the attackers used “multiple” tactics, techniques and procedures (TTPs), including clones of packages such as Colorama (which displays coloured text in a Python terminal), and typosquatting the popular official PyPi package host files.pythonhosted.org domain with files[.]pypihosted[.]org.

The attackers targeted the GitHub account editor-syntax, probably via stolen session cookies, the researchers said. The editor-syntax account holder is a maintainer of Top.gg and has write permissions to Top.gg’s repositories.

That allowed them to add their poisoned Colorama to the requirements list for Top.gg’s Python SDK.

The malware also has a persistence mechanism: the Windows registry is modified to create a new run key, “which ensures that the malicious Python code is executed every time the system is rebooted’, Checkmarx wrote.