GitHub Developers Hit in Complex Supply Chain Cyberattack

The attacker employed various techniques, including distributing malicious dependencies via a fake Python infrastructure linked to GitHub projects.

An unidentified group of threat actors orchestrated a sophisticated supply chain cyberattack on members of the Top.gg GitHub organization as well as individual developers in order to inject malicious code into the code ecosystem.
The attackers infiltrated trusted software development elements to compromise developers. They hijacked GitHub accounts with stolen cookies, contributed malicious code via verified commits, established a counterfeit Python mirror, and released tainted packages on the PyPI registry.
Multiple TTPs help attackers create sophisticated attacks, evade detection, increase the chances of successful exploitation, and complicate defense efforts, says Jossef Harush Kadouri, head of software supply chain security at Checkmarx.
The attackers utilized a convincing typosquatting technique with a fake Python mirror-domain resembling the official one to deceive users, according to a
blog post by Checkmarx
researchers.
By tampering with popular Python packages like Colorama — which is used by more than 150 million users to simplify the process of formatting text — the attackers concealed malicious code within seemingly legitimate software, expanding their reach beyond GitHub repositories.
They also exploited high-reputation GitHub Top.gg accounts to insert malicious commits and increase the credibility of their actions. Top.gg has 170,000 members.
In the final stage of the attack, the malware used by the threat group steals sensitive information from the victim. It can target popular user platforms, including Web browsers like Opera, Chrome, and Edge — targeting cookies, autofill data, and credentials. The malware also roots out Discord accounts and abused decrypted tokens to gain unauthorized access to victim accounts on the platform.
The malware can steal victims cryptocurrency wallets, Telegram session data, and Instagram profile information. In the latter scenario, the attacker uses the victims session tokens to retrieve their account details, employing a keylogger to capture keystrokes, potentially compromising passwords and personal messages.
The stolen data from these individual attacks is then exfiltrated to the attackers server using various techniques, including anonymous file-sharing services and HTTP requests. The attackers utilize unique identifiers to track each victim.
To evade detection, the attackers employed intricate obfuscation techniques in their code, including whitespace manipulation and misleading variable names. They established persistence mechanisms, modified system registries, and executed data-stealing operations across various software applications.
Despite these sophisticated tactics, some vigilant Top.gg community members noticed the malicious activities and reported it, which led to Cloudflare taking down the abused domains, according to Checkmarx. Even so, Checkmarxs Kadouri still regards the threat as active.
IT security professionals should regularly monitor and audit new code project contributions and focus on education and awareness for developers on the risks of supply chain attacks.
We believe in putting competition aside and working together to make the open source ecosystems safe from attackers, Kadouri says. Sharing resources is crucial for having an edge over software supply chain threat actors.
Expect software supply chain attacks to continue, according to Kadouri. I believe the evolution of supply chain attacks is going to increase in build pipelines and AI and large language models.
Recently, repositories for machine learning models, such as Hugging Face, have offered threat actors opportunities to
inject malicious code into development environments
, akin to open source repositories npm and PyPI.
Other software supply chain security issues have arisen recently, affecting cloud versions of the JetBrains
TeamCity software development platform
manager as well as
malicious code updates
slipped into hundreds of GitHub repositories in September.
And weak authentication and access controls allowed Iranian hacktivists to conduct a
supply chain attack
earlier this month on Israeli universities via a technology provider.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
GitHub Developers Hit in Complex Supply Chain Cyberattack