See for yourself – run a scan on your code right now

Infiltrating the software supply chain is not a new attack method, but the way cybercriminals insinuate themselves and their malicious code into repositories continues to become more sophisticated. Although developers know that any open-source code should be reviewed and vetted, attackers now work to circumvent that practice. 

In a recent campaign targeting the software supply chain, researchers found that attackers chained together multiple tactics, techniques, and procedures (TTPs) to evade detection and poison a popular GitHub community. 

Steps of the Attack

This attack highlights the increasingly sophisticated methods that threat actors use to compromise the software supply chain, including:

  • Typosquatting: Python package mirror “files[.]pypihosted[.]org” that uses a misspelling of popular “files[.]pythonhosted[.]org”
  • Malicious “Colorama” copy: Inserting malicious code into a copy of a popular package then hosting it on the typosquat domain
  • Bypassing authentication: Using stolen session cookies to gain access to GitHub accounts
  • Leveraging reputable GitHub accounts: Taking over accounts, like editor-syntax who maintains GitHub, to insert instructions into the repository to download the Colorama copy
  • Evading detection: Committing multiple files that include malicious link and legitimate files to blend in with legitimate dependencies so users would be less likely to identify it during manual review

Understanding the Malicious Package

To spread the malware and remain hidden, the attackers manipulated the packaged installation process and the trusted Python package ecosystem. 

To dig a little deeper into the attack, you should understand how the attacker embedded the malicious package into the Python fetch and execute process:

  • User downloads the component containing the typosquatted, fake “colorama” from files[.]pypihosted[.]org that include malicious code located in either colorama/tests/ or colorama/
  • Malicious payload is hidden by using whitespace so anyone engaging in manual inspection needs to scroll horizontally for a long time.
  • Malicious component fetches and executes:
    • Code from “hxxps[:]//pypihosted[.]org/version” which installs additional components and decrypts hard-coded data using “fernet” library 
    • Code saved in a temporary file that a legitimate Python interpreter executed
  • Malicious component fetches more hidden malicious code from “hxxp[:]//162[.]248[.]100[.]217/inj” then executes it.
  • Code selects a folder and file name on the compromise host then retrieves the final component from “hxxp[:]//162[.]248[.]100.217[:]80/grb.”
  • Malicious code establishes persistence by modifying the Windows registry, ensuring that system reboots execute the code. 

Techniques used to obfuscate the malicious code include:

  • Character strings containing Chinese and Japanese 
  • zlib compression
  • Misleading variable names

The attackers use five different usernames, each associated with different malicious packages:

  • Username: pypi/xotifol394
    • jzyrljroxlca
    • wkqubsxekbxn
    • eoerbisjxqyv
    • lyfamdorksgb
    • hnuhfyzumkmo
    • hbcxuypphrnk
    • dcrywkqddo
  • Username: pypi/poyon95014
    • mjpoytwngddh
  • Username: pypi/tiles77583
    • eeajhjmclakf
  • Username: pypi/felpes
    • yocolor
    • coloriv
    • colors-it
    • pylo-color
  • Username: felipefelpes
    • type-color

Indicators of compromise (IoCs) currently include the following:

  • hxxps[:]//files[.]
  • hxxps[:]//files[.]
  • hxxps://files[.]pypihosted[.]org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.3.tar.gz
  • 162[.]248.101.215
  • 162[.]248.100.217
  • 0C1873196DBD88280F4D5CF409B7B53674B3ED85F8A1A28ECE9CAF2F98A71207
  • 35AC61C83B85F6DDCF8EC8747F44400399CE3A9986D355834B68630270E669FB
  • C53B93BE72E700F7E0C8D5333ACD68F9DC5505FB5B71773CA9A8668B98A17BA8

3 Takeaway Lessons

This new attack highlights some significant changes in the way threat actors seek to poison the software supply chain. 

Vetting Contributors May Not Work

Developers are always told to – and should always be engaging in – contributor reviews prior to using an open-source component. This attack undercuts that mitigation strategy by leveraging stolen credentials to exploit known, respected contributors. 

Even after reviewing repositories, you should ensure that you:

Manual Code Reviews Miss Things

By using whitespace and horizontal scrolling to hide their malicious code, the attackers are hoping that developers manually review code rather than using an automated solution. To mitigate risks, you should:

Continuously Monitor to Detect Changes

This attack highlights the way threat actors seek to compromise respected contributors and use known packages as a deployment tool. As part of building security into your development processes and application, you should ensure that you can:

Qwiet AI: Securing Applications at the Source Code

With Qwiet AI, you can integrate security testing into your current CI/CD pipelines, ticketing systems, and development tools. By building security directly into your current processes, our platform enables you to incorporate container security into your secure software development life cycle (SSDLC) processes while still ensuring that you get the speed you need to deliver software on time. 

The Qwiet AI platform gives you visibility into the context around vulnerabilities so that you can effectively prioritize remediation actions based on whether attackers can exploit a weakness in your application and account for whether attackers are currently exploiting that vulnerability in the wild. 

Take our preZero platform for a free spin or contact us today to see how Qwiet AI can help you 

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit:


See for yourself – run a scan on your code right now