• Cyber Syrup
  • Posts
  • Malicious GitHub Repository Exfiltrates Over 390,000 WordPress Credentials

Malicious GitHub Repository Exfiltrates Over 390,000 WordPress Credentials

A malicious GitHub repository, was discovered to have exfiltrated over 390,000 WordPress credentials

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Rare Card Helps Tackle Debt + Double Cash Back For 1st Year

  • 0% intro APR helps ease credit card pressure.

  • Earn 5% cash back, doubled first year.

  • Get up to 10% cash back rewards!

Malicious GitHub Repository Exfiltrates Over 390,000 WordPress Credentials

A malicious GitHub repository, now removed, was discovered to have exfiltrated over 390,000 credentials by masquerading as a WordPress publishing tool. The repository, part of a sophisticated campaign by the threat actor MUT-1244 ("Mysterious Unattributed Threat"), targeted a range of users, including developers, researchers, and even other malicious actors.

This campaign highlights the growing threat of weaponized GitHub repositories and phishing attacks, which aim to steal sensitive data while exploiting the trust placed in open-source platforms.

Who Was Affected?

The attack targeted:

  • Security Researchers and Pentesters: These individuals were lured by trojanized proof-of-concept (PoC) exploit code, risking exposure of unpublished security vulnerabilities.

  • Malicious Actors: Threat actors handling stolen credentials also became victims of the campaign.

  • Academics and Linux Users: Phishing emails targeted academics, prompting them to execute malicious commands on Linux systems.

Data Compromised

Sensitive information stolen includes:

  • SSH private keys

  • AWS access keys

  • System environment variables

  • Specific directory contents, such as ~/.aws

How the Attack Worked

Trojanized GitHub Repositories

MUT-1244 leveraged GitHub to distribute malicious repositories. One notable repository, github[.]com/hpc20235/yawpp, claimed to be a WordPress tool called "Yet Another WordPress Poster." While the tool appeared legitimate, it secretly deployed malware through an npm package dependency, @0xengine/xmlrpc.

This malicious npm package:

  • Deployed malware to exfiltrate system information.

  • Sent stolen credentials to an attacker-controlled Dropbox account.

The npm package had approximately 1,790 downloads before it was removed.

Multiple Attack Vectors

In addition to GitHub repositories, MUT-1244 used diverse tactics:

  1. Phishing Emails: Academic users were tricked into running terminal commands for fake kernel upgrades.

  2. Backdoored Compilation Files: Malicious scripts were embedded in software compilation processes.

  3. Fake PoC Repositories: Repositories with AI-generated profiles were used to distribute trojanized code.

  4. PDF Payloads: Malicious PDFs were deployed to infect systems.

  5. Python Droppers: Python scripts were used as malware delivery mechanisms.

  6. Malicious npm Packages: Packages like 0xengine/meow contained hidden payloads.

Scale of Impact

Datadog Security Labs estimated that over 390,000 credentials, primarily WordPress account details, were stolen. This massive compromise likely included credentials initially handled by other threat actors.

Implications of the Attack

Weaponized PoCs

The rise of weaponized PoC exploit code demonstrates how attackers exploit vulnerability disclosures to gain access to sensitive systems. GitHub repositories are being increasingly used as a delivery platform for malicious payloads.

Targeting Security Professionals

Security researchers are becoming prime targets. Compromising their systems can grant attackers access to undisclosed exploits, which can be weaponized for further attacks.

Sophisticated Multi-Vector Strategy

MUT-1244’s use of multiple attack vectors highlights their strategy of maximizing reach and evading detection.

How to Protect Yourself

For Developers and Researchers

  1. Verify Repositories: Double-check the legitimacy of GitHub repositories before downloading and using them.

  2. Inspect Code: Carefully review source code for suspicious or malicious behavior.

  3. Isolate Testing Environments: Test PoC code in isolated environments to limit potential damage.

For Organizations

  1. Deploy Threat Detection Tools: Use tools to identify malicious dependencies or unusual behavior in downloaded packages.

  2. Educate Teams: Train developers and researchers on recognizing phishing attempts and trojanized repositories.

  3. Limit Access: Restrict permissions to sensitive systems and data.

General Best Practices

  • Keep Software Updated: Ensure all systems and software have the latest security patches.

  • Enable Endpoint Protection: Use advanced detection tools to block malware.

  • Secure Credentials: Regularly rotate sensitive credentials and monitor for unauthorized access.

Conclusion

The MUT-1244 campaign underscores the increasing sophistication of software supply chain attacks and the risks posed by malicious GitHub repositories. By targeting trusted platforms, attackers exploit the inherent trust developers place in open-source ecosystems.

For developers, researchers, and organizations, vigilance and robust security practices are critical. Understanding these evolving threats and adopting proactive measures can help mitigate the risks of future attacks. Always verify code, educate teams, and secure systems to protect sensitive data.