Cybersecurity researchers at Checkmarx have discovered a new infostealing campaign that used typosquatting and stolen GitHub accounts to distribute malicious Python packages to the PyPI repository.
In a blog post, Checkmarx’s Tal Folkman, Yehuda Gelb, Jossef Harush Kadouri and Tzachi Zornshtain said they discovered the campaign after a Python developer complained that he had fallen victim to the attack.
Apparently the company believes more than 170,000 people are at risk.
Infostealers and keyloggers
The attackers first used a popular Python mirror, Pythonhosted, and created a typed website version. They called it PyPIhosted. They then grabbed a large package called Colorama (over 150 million monthly downloads), added malicious code to it, and then uploaded it to their fake mirror with the typed domain. “This strategy makes it significantly more challenging to identify the malicious nature of the package with the naked eye, as it initially appears to be a legitimate dependency,” the researchers explained.
Another strategy involved stealing popular GitHub accounts. An account called ‘editor-syntax’ has had its account compromised, most likely via session cookie theft. By obtaining session cookies, the attackers managed to bypass all authentication methods and log in directly to the person’s account. Editor Syntax is a major contributor and maintains the Top.gg GitHub organization whose community has over 170,000 members. The threat actors used the access to insert malware into the Top.gg Python library.
The aim of the campaign was to steal sensitive data from the victims. Checkmarx researchers said the malware stole browser data (cookies, autofill information, browsing history, bookmarks, credit cards and login credentials from major browsers such as Opera, Chrome, Brave, Vivaldi, Yandex and Edge), Discord data (including Discord tokens, which can be used to access accounts), cryptocurrency wallet data, Telegram chat sessions, computer files and Instagram data.
Further analysis also discovered that the infostealer could also work as a keylogger.