The Information Highway

The Information Highway

Font size: +
2 minutes reading time (394 words)

GitHub supply chain attack

Threat update

Malicious actors have launched a software supply chain attack targeting developers on the GitHub platform. LBT Technology Group, LLC. recommends taking proactive measures detailed in this Cybersecurity Threat Advisory to mitigate the risk. 

Technical Detail and Additional Info

What is the threat?

A variety of techniques were used to launch this attack including leveraging stolen browser cookies to take over accounts and contributing malicious code with verified commits on GitHub. This also involved setting up a custom Python mirror and publishing malicious packages to the PyPI (Python Package Index) registry, linking it to popular projects on GitHub. Typo squatting was used to disguise the malicious Python package mirror register as "files[.]pypihosted[.]org," which closely resembles the official Python mirror, "files.pythonhosted.org." This is where official artifact files of PyPI packages normally live.

This technique led to the deployment of a tampered copy of Colorama, a package used by developers to add color and style to text in terminal outputs. The threat actors were able to initiate a silent software supply chain attack that stole passwords, credentials, and other data from infected systems targeting developers. 

Why is it noteworthy?

Millions of people use GitHub and Colorama which increases the potential impact of this supply chain attack. Unauthorized code changes can have detrimental impacts as well.

What is the exposure or risk?

The malicious resources can steal a wide variety of information, including data from browsers such as Edge, Chrome, Opera, and Yandex. The data includes autofill information, cookies, credit cards, login credentials, and browsing history. This can also get into Discord, looking for tokens that it can decrypt to gain access to the victim's account and steal cryptocurrency wallets, grab Telegram data, and exfiltrate computer files. It also looks to steal sensitive information from Instagram files using a session token and can log victims' keystrokes, exposing information like passwords, personal messages, and financial details.

What are the recommendations?

LBT Technology Group, LLC. recommends the following actions to limit the impact of this supply chain attack:

  • Verify dependencies and resources before interacting with them.
  • Monitor for suspicious network activity.
  • Maintain a proper security posture to mitigate the risk and impact of this attack.

References

TA558 phishing campaign
AWS 'FlowFixation' vulnerabiltiy

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Friday, 20 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023