Introduction
files.pythonhosted.org is a python infrastructure where, pypi modules are hosted. These module packages are used for development purposes, some famous modules are matplotlib, Colorama, sklearn, etc. In this incident, the attacker hosted a mirror python infrastructure similar to the valid python infrastructure(files.pythonhosted.org) using typosquatting altering files.pythonhosted.org to files.pypi.org. The malicious attacker modified the mostly used module package Colorama, injected malicious code that will exfiltrate data into it hid it using space padding, and hosted this package on the typosquatted website. There were some initial victims as this malicious package was being used by unsuspecting users and developers. While doing so they were able to steal the GitHub session cookies of an active contributor of Top.gg which is a discord bot used by many discord servers. The attacker then used the cookies to log in to this GitHub account and use the rights of the victim to include this malicious package (malicious Colorama package) in the requirements.txt of Top.gg, this malicious commit affected 170k users, resulting in the exfiltration of all the discord credentials and sensitive information. The attacker used various TTPs to increase the reach of the malicious Colorama Package and disrupt the software supply chain.
Incident
This attack directly targets the integrity aspect of security, as an unsuspecting individual who does not check the minor differences like where the package is hosted, when was the last time this package was updated may use this package thinking it is a legitimate package, but in reality, it is a malicious package. Which when installed affects the integrity of the application, and harvests all the sensitive information.
Recommendations
This kind of attack can be prevented, by the following measures: Using Digital signatures, this will help maintain the integrity Timely security auditing the repositories, checking for commits and their legitimacy The users should carefully read the packages and their requirements and try to check their legitimacy.
References
https://thehackernews.com/2024/03/hackers-hijack-github-accounts-in.html