Complicated Supply Chain Attack Hits Github and Individual Developers

March 2024 by Checkmarx

The threat actors used multiple tactics, including account takeover, malicious code contribution, and a custom Python mirror, to successfully exploit multiple victims both in GitHub and individual developers. The multi-stage and evasive malicious payload harvests passwords, credentials, and valuable data from infected systems, exfiltrating them to the attacker’s infrastructure.

“I was using my laptop today, just the regular messing around with python and other stuff on my command line, until I seen a weird message on my command line saying that there’s something wrong with colorama on python, I didn’t care much cause I’m used to this stuff so I just skipped it, Few minutes later I got the same error message but in a different script I’m using. The moment I seen this I knew what’s going on, I got hacked.”

This chilling account comes from a recent blog post by Mohammed Dief, a Python developer who fell victim to a sophisticated malware attack while cloning the repository "maleduque/Valorant-Checker".

Mohammed’s story is just one example of the far-reaching impact of this malware campaign. The attacker behind the campaign employed a devious strategy to spread the malware through malicious GitHub repositories.