A number of top Python developers, including maintainers of the Top project.gg specialists encountered a malware infection. After downloading a clone of the popular utility, developers received an infostiler in the system.
Checkmarx experts spoke about the campaign aimed at Python developers. The utility that served as a decoy in this case is called Colorama and allows you to use ANSI control characters in Windows.
Colorama is downloaded by more than 150 million users per month, which indicates the popularity of the tool. In the course of organizing the attacks, the attackers created a clone of Colorama, added malicious code there, and placed the "surprise" version on a fake domain that imitates the legitimate one.
In the case of the domain, cybercriminals used typesquatting. As a result, developers who searched for files.pythonhosted.org, came to a similar site that is under the control of attackers.
In addition, the attackers raised malicious repositories under their accounts, and also hacked accounts with a good reputation, including the GitHub account of the "editor-syntax" maintainer of the platform. Top.gg (more than 170 thousand participants).
Using the "editor-syntax" account, the criminals placed a malicious commit in the top-gg/python-sdk repository and added instructions for uploading to the malicious Colorama clone.
Experts believe that the account fell into the hands of attackers using stolen cookies.
Checkmarx experts spoke about the campaign aimed at Python developers. The utility that served as a decoy in this case is called Colorama and allows you to use ANSI control characters in Windows.
Colorama is downloaded by more than 150 million users per month, which indicates the popularity of the tool. In the course of organizing the attacks, the attackers created a clone of Colorama, added malicious code there, and placed the "surprise" version on a fake domain that imitates the legitimate one.
In the case of the domain, cybercriminals used typesquatting. As a result, developers who searched for files.pythonhosted.org, came to a similar site that is under the control of attackers.
In addition, the attackers raised malicious repositories under their accounts, and also hacked accounts with a good reputation, including the GitHub account of the "editor-syntax" maintainer of the platform. Top.gg (more than 170 thousand participants).
Using the "editor-syntax" account, the criminals placed a malicious commit in the top-gg/python-sdk repository and added instructions for uploading to the malicious Colorama clone.
Experts believe that the account fell into the hands of attackers using stolen cookies.
