An unidentified group of threat actors orchestrated a sophisticated supply chain cyberattack on members of the Top.gg GitHub organization as well as individual developers in order to inject malicious code into the code ecosystem.

The attackers infiltrated trusted software development elements to compromise developers. They hijacked GitHub accounts with stolen cookies, contributed malicious code via verified commits, established a counterfeit Python mirror, and released tainted packages on the PyPI registry.

"Multiple TTPs help attackers create sophisticated attacks, evade detection, increase the chances of successful exploitation, and complicate defense efforts," says Jossef Harush Kadouri, head of software supply chain security at Checkmarx.

The attackers utilized a convincing typosquatting technique with a fake Python mirror-domain resembling the official one to deceive users, according to a blog post by Checkmarx researchers.

By tampering with popular Python packages like Colorama — which is used by more than 150 million users to simplify the process of formatting text — the attackers concealed malicious code within seemingly legitimate software, expanding their reach beyond GitHub repositories.

They also exploited high-reputation GitHub Top.gg accounts to insert malicious commits and increase the credibility of their actions. Top.gg has 170,000 members.

Data Theft

In the final stage of the attack, the malware used by the threat group steals sensitive information from the victim. It can target popular user platforms, including Web browsers like Opera, Chrome, and Edge — targeting cookies, autofill data, and credentials. The malware also roots out Discord accounts and abused decrypted tokens to gain unauthorized access to victim accounts on the platform.

The malware can steal victim's cryptocurrency wallets, Telegram session data, and Instagram profile information. In the latter scenario, the attacker uses the victim's session tokens to retrieve their account details, employing a keylogger to capture keystrokes, potentially compromising passwords and personal messages.

The stolen data from these individual attacks is then exfiltrated to the attacker's server using various techniques, including anonymous file-sharing services and HTTP requests. The attackers utilize unique identifiers to track each victim.

To evade detection, the attackers employed intricate obfuscation techniques in their code, including whitespace manipulation and misleading variable names. They established persistence mechanisms, modified system registries, and executed data-stealing operations across various software applications.

Despite these sophisticated tactics, some vigilant Top.gg community members noticed the malicious activities and reported it, which led to Cloudflare taking down the abused domains, according to Checkmarx. Even so, Checkmarx's Kadouri still regards the threat as "active."

How to Protect Developers

IT security professionals should regularly monitor and audit new code project contributions and focus on education and awareness for developers on the risks of supply chain attacks.

"We believe in putting competition aside and working together to make the open source ecosystems safe from attackers," Kadouri says. "Sharing resources is crucial for having an edge over software supply chain threat actors."

Expect software supply chain attacks to continue, according to Kadouri. "I believe the evolution of supply chain attacks is going to increase in build pipelines and AI and large language models."

Recently, repositories for machine learning models, such as Hugging Face, have offered threat actors opportunities to inject malicious code into development environments, akin to open source repositories npm and PyPI.

Other software supply chain security issues have arisen recently, affecting cloud versions of the JetBrains TeamCity software development platform manager as well as malicious code updates slipped into hundreds of GitHub repositories in September.

And weak authentication and access controls allowed Iranian hacktivists to conduct a supply chain attack earlier this month on Israeli universities via a technology provider.