Skip to Main Content

Article

Over 390,000 Credentials Stolen via Malicious GitHub Repository

Share

Trojanized open-source code snippet stealing sensitive credentials

A sophisticated and continuous supply-chain attack has recently been detected and used Trojanized versions of open-source software from GitHub and NPM to collect sensitive login credentials for the past year. The credential-stealing campaign is specifically designed to target both information security professionals and cybercriminals. The responsible threat actor exfiltrated the information through malicious packages (@0xengine/xmlrpc). The malicious packages were primarily propagated via open-source GitHub repositories that security professionals are likely to frequent. The threat actor set up an expertly designed backdoor to conceal the malicious packages.

What’s Notable and Unique:

  • This threat actor attempts to gather command histories, Amazon Web Services access keys, SSH private keys, and other sensitive data from compromised machines once every twelve hours.
  • Dozens of workstations were still infected when the campaign was reported, and an online Dropbox account was discovered containing 390,000 WordPress website passwords that the attackers likely stole from other threat actors.
  • The campaign’s malware installs cryptomining software, which was installed on at least 68 computers as of last month.

The package was originally intended to provide a client implementation for Node.js and a JavaScript implementation of the popular XML-RPC protocol. The package was gradually and deliberately changed over time to become malware. Eventually, one modification was added and concealed highly obfuscated code. With 16 modifications in its first year, developers believed that the package was a safe and authentic code library that could be relied upon in delicate settings.

Analyst Comments

This year-long initiative is an alarming reminder of the importance of carefully reviewing open-source projects before integrating them into any software development process. Legitimate projects may subsequently be compromised, and harmful code may be incorporated through updates. Alternatively, malicious projects may be present from the beginning and remain active for a long time while concealing their true nature. To reduce the risks associated with supply chain attacks, developers and organizations must be vigilant not only during initial vetting but also when monitoring package updates, putting strong security measures in place, and regularly auditing their dependencies.

Sources: