Article Details

Hackers poison source code for largest Discord bot platform. The Top.gg Discord bot community with over 170,000 members has been impacted by a supply-chain attack aiming to deliver malware that steals sensitive information. The threat actor has been using several tactics, techniques, and procedures (TTPs) over the years including hijacking GitHub accounts, distributing malicious Python packages, using a fake Python infrastructure, and social engineering. One of the more recent victims of the attacker is Top.gg, a popular search-and-discovery platform for Discord servers, bots, and other social tools geared towards gaming, boosting engagement, and improving functionality. Checkmarx researchers discovered the campaign and note that the main goal was most likely data theft and monetization through selling the stolen info. Hijacking top.gg maintainer account According to the researchers, the attacker's activity started back in November 2022, when they first uploaded malicious packages on the Python Package Index (PyPI). In the years that followed, more packages carrying malware were uploaded to PyPI. These resembled popular open-source tools with enticing descriptions that would make them more likely to rank well in search engine results. The most recent upload was a package named "yocolor" in March this year. In early 2024, the attackers set up a fake Python package mirror at "files[.]pypihosted[.]org," which is a typosquatting attempt to mimic the authentic "files.pythonhosted.org" where the artifact files of PyPI packages are stored. This fake mirror was used to host poisoned versions of legitimate packages, such as an altered version of the popular "colorama" package, with the goal of tricking users and development systems into using this malicious source. The malicious packages uploaded to PyPI served as an initial vector to compromise systems. Once a system was compromised, or if the attackers hijacked privileged GitHub accounts, they altered project files to point to dependencies hosted on the fake mirror. Checkmarx highlights a case from March where the attackers hacked the account of a top.gg maintainer, "editor-syntax," who had significant write access permissions on the platform's GitHub repositories. The attacker used the account to perform malicious commits to Top.gg's python-sdk repository, such as adding a dependency on the poisoned version of "colorama" and storing other malicious repositories, to increase their visibility and credibility. Final payload Once the malicious Python code is executed, it activates the next stage by downloading from a remote server a small loader or dropper script that fetches the final payload in encrypted form. The malware establishes persistence on the compromised machine between reboots by modifying the Windows Registry. The malware's data stealing capabilities can be summed up in the following: All stolen data is sent to the command and control server via HTTP requests, carrying unique hardware-based identifiers or IP addresses. In parallel, it's uploaded to file-hosting services like Anonfiles and GoFile. The number of users impacted by this campaign is unknown, but the report from Checkmarx highlights the risks of the open-source supply chain and the importance of developers checking the security of their building blocks.