TLDR:
Over 170,000 users were affected by a supply chain attack using fake Python infrastructure. The attack involved fake Python PyPI packages distributing malware that targeted developers, stealing data from browsers, Discord apps, crypto wallets, and files. The attacker also broke into multiple GitHub accounts to insert the malware, which was obfuscated and survived reboots. Efforts to defend against such attacks have been challenging due to the use of multiple vectors.
Article Summary:
More than 170,000 users were affected by an attack involving fake Python infrastructure that targeted developers through supply chain attacks using malware-infected Python PyPI packages. The attack focused on members of the Top.gg GitHub organization and other developers, utilizing techniques like clones of popular Python packages, doppelganger domains, and code obfuscation to steal user data.
The malicious Python packages were uploaded in November 2022, with the attack starting in earnest in February when a doppelganger domain was registered to distribute the malware. The attacker made the fake URL nearly identical to the real PyPI domain and inserted the malware into popular tools like Colorama, adding invisible code to install the malware on users’ systems.
The attacker also broke into GitHub accounts, including one of Top.gg’s maintainers, to insert the fake packages into repositories. This attack was complex, involving multiple tactics to hide the malicious activity within legitimate code changes. Despite efforts to ensure the integrity of open-source package managers like PyPI, defending against attacks using various vectors remains difficult for developers.