Log In
Get a Demo

See for yourself – run a scan on your code right now

Get a demo

Infiltrating the software supply chain is not a new attack method, but the way cybercriminals insinuate themselves and their malicious code into repositories continues to become more sophisticated. Although developers know that any open-source code should be reviewed and vetted, attackers now work to circumvent that practice. 

In a recent campaign targeting the software supply chain, researchers found that attackers chained together multiple tactics, techniques, and procedures (TTPs) to evade detection and poison a popular GitHub community. 

Steps of the Attack

This attack highlights the increasingly sophisticated methods that threat actors use to compromise the software supply chain, including:

  • Typosquatting: Python package mirror “files[.]pypihosted[.]org” that uses a misspelling of popular “files[.]pythonhosted[.]org”
  • Malicious “Colorama” copy: Inserting malicious code into a copy of a popular package then hosting it on the typosquat domain
  • Bypassing authentication: Using stolen session cookies to gain access to GitHub accounts
  • Leveraging reputable GitHub accounts: Taking over accounts, like editor-syntax who maintains Top.gg GitHub, to insert instructions into the repository to download the Colorama copy
  • Evading detection: Committing multiple files that include malicious link and legitimate files to blend in with legitimate dependencies so users would be less likely to identify it during manual review

Understanding the Malicious Package

To spread the malware and remain hidden, the attackers manipulated the packaged installation process and the trusted Python package ecosystem. 

To dig a little deeper into the attack, you should understand how the attacker embedded the malicious package into the Python fetch and execute process:

  • User downloads the component containing the typosquatted, fake “colorama” from files[.]pypihosted[.]org that include malicious code located in either colorama/tests/__init__.py or colorama/init.py
  • Malicious payload is hidden by using whitespace so anyone engaging in manual inspection needs to scroll horizontally for a long time.
  • Malicious component fetches and executes:
    • Code from “hxxps[:]//pypihosted[.]org/version” which installs additional components and decrypts hard-coded data using “fernet” library 
    • Code saved in a temporary file that a legitimate Python interpreter executed
  • Malicious component fetches more hidden malicious code from “hxxp[:]//162[.]248[.]100[.]217/inj” then executes it.
  • Code selects a folder and file name on the compromise host then retrieves the final component from “hxxp[:]//162[.]248[.]100.217[:]80/grb.”
  • Malicious code establishes persistence by modifying the Windows registry, ensuring that system reboots execute the code. 

Techniques used to obfuscate the malicious code include:

  • Character strings containing Chinese and Japanese 
  • zlib compression
  • Misleading variable names

The attackers use five different usernames, each associated with different malicious packages:

  • Username: pypi/xotifol394
    • jzyrljroxlca
    • wkqubsxekbxn
    • eoerbisjxqyv
    • lyfamdorksgb
    • hnuhfyzumkmo
    • hbcxuypphrnk
    • dcrywkqddo
  • Username: pypi/poyon95014
    • mjpoytwngddh
  • Username: pypi/tiles77583
    • eeajhjmclakf
  • Username: pypi/felpes
    • yocolor
    • coloriv
    • colors-it
    • pylo-color
  • Username: felipefelpes
    • type-color

Indicators of compromise (IoCs) currently include the following:

  • hxxps[:]//files[.]pythanhosted.org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.5.tar.gz
  • hxxps[:]//files[.]pypihosted.org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.6.tar.gz
  • hxxps://files[.]pypihosted[.]org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.3.tar.gz
  • 162[.]248.101.215
  • pypihosted.org/version
  • 162[.]248.100.217
  • 162.248.100.117
  • 0C1873196DBD88280F4D5CF409B7B53674B3ED85F8A1A28ECE9CAF2F98A71207
  • 35AC61C83B85F6DDCF8EC8747F44400399CE3A9986D355834B68630270E669FB
  • C53B93BE72E700F7E0C8D5333ACD68F9DC5505FB5B71773CA9A8668B98A17BA8

3 Takeaway Lessons

This new attack highlights some significant changes in the way threat actors seek to poison the software supply chain. 

Vetting Contributors May Not Work

Developers are always told to – and should always be engaging in – contributor reviews prior to using an open-source component. This attack undercuts that mitigation strategy by leveraging stolen credentials to exploit known, respected contributors. 

Even after reviewing repositories, you should ensure that you:

Manual Code Reviews Miss Things

By using whitespace and horizontal scrolling to hide their malicious code, the attackers are hoping that developers manually review code rather than using an automated solution. To mitigate risks, you should:

Continuously Monitor to Detect Changes

This attack highlights the way threat actors seek to compromise respected contributors and use known packages as a deployment tool. As part of building security into your development processes and application, you should ensure that you can:

Qwiet AI: Securing Applications at the Source Code

With Qwiet AI, you can integrate security testing into your current CI/CD pipelines, ticketing systems, and development tools. By building security directly into your current processes, our platform enables you to incorporate container security into your secure software development life cycle (SSDLC) processes while still ensuring that you get the speed you need to deliver software on time. 

The Qwiet AI platform gives you visibility into the context around vulnerabilities so that you can effectively prioritize remediation actions based on whether attackers can exploit a weakness in your application and account for whether attackers are currently exploiting that vulnerability in the wild. 

Take our preZero platform for a free spin or contact us today to see how Qwiet AI can help you 

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

Share

Read Next

Cybersecurity
April 22, 2024 6 min to read

What are the limitations of using ChatGPT to write code?

Love them or hate them, large language models (LLM) are here to stay. After opening the Pandora’s Box of ChatGPT in late 2022, everyone from developers to grandmas began using the tool to get the answers they wanted – and fast. As with every other new technology, ChatGPT created a new set of security risks, […]

READ MORE
Cybersecurity
April 17, 2024 5 min to read

Why Is Vulnerability Remediation Hard?

Imagine yourself standing in a local fair at night. The bright lights from the games beckon you, and you see your favorite game, the one you’re best at – Whack-A-Mole. You excitedly walk up to the booth, plunk down your few dollars, and get ready to whack a bunch of plastic, animatronic moles back into […]

READ MORE
Cybersecurity
April 9, 2024 5 min to read

Understanding XSS vs CSRF

When it comes to web application vulnerabilities and attacks, malicious actors are a lot like Cookie Monster, screaming, “Me love cookie!” Digital cookies may not be as tasty as chocolate chips, but they’re just as deliciously enticing because they often contain sensitive information or enable attackers to gain unauthorized access.  While both Cross-Site Scripting (XSS) […]

READ MORE

Read Next

Cybersecurity
March 17, 2022 7 min to read

Secure Software Summit: Importance of Securing Software w...

  With the increase of supply chain attacks on everything from logging software like Log4J to takeovers of important JavaScript packages to compromises of network utility tools like SolarWinds, more and more organizations are recognizing the need to adopt a Zero Trust mindset. Zero Trust can improve security, reduce risks, and give organizations greater confidence […]

READ MORE
Cybersecurity
July 25, 2023 4 min to read

What is OWASP and Why is it Important to Developers?

by Team Qwiet

Shipping your software – and doing it on time – may be your first priority as a developer. However, as your company shifts security left, you need to build it into your processes while still meeting estimated timelines. Now you need to manage cross-functional communications and respond to seemingly competing priorities. You’re trying to debug […]

READ MORE
Cybersecurity
November 22, 2021 5 min to read

Getting to Know Compliance in Software Development

On March 21, the Biden administration directed US companies to "harden your cyber defenses immediately." With these new federal guidelines for application security, the White House urged software developers to deploy "modern tools that can detect known and potential vulnerabilities" in their custom and open-source software (OSS). Learn more about how ShiftLeft can help.

READ MORE

See for yourself – run a scan on your code right now

try it for free
log in
Newsletter Sign Up

Stay informed of the latest news and critical events in AppSec space:

Twitter Linkedin Github
About
Platform Overview
Platform Components
Resources

© 2024 Qwiet. All rights reserved.