Over 390,000 credentials are thought to have been exfiltrated using a since-deleted GitHub repository that promoted a WordPress utility for publishing posts to the online content management system (CMS).
A threat actor known as MUT-1244 (where MUT stands for “mysterious unattributed threat”) carried out the malicious activity as part of a larger attack campaign that included phishing and multiple trojanized GitHub repositories that contained proof-of-concept (PoC) code for taking advantage of known security vulnerabilities, according to Datadog Security Labs.
“Victims are believed to be offensive actors – including pentesters and security researchers, as well as malicious threat actors – and had sensitive data such as SSH private keys and AWS access keys exfiltrated,” researchers Christophe Tafani-Dereeper, Matt Muir, and Adrian Korn said in an analysis shared with media.
It should come as no surprise that threat actors, including North Korean nation-state groups, have found security researchers to be a desirable target because breaching their systems could reveal potential exploits for unreported security vulnerabilities they may be developing, which could then be used to launch additional attacks.
Attackers have been trying to take advantage of vulnerability disclosures in recent years by setting up GitHub repositories with fake profiles that pretend to host proofs of concept for the vulnerabilities but are really designed to steal data and even demand payment in exchange for the exploit.
In addition to using trojanized GitHub repositories and phishing emails, MUT-1244’s campaigns use these methods to send a second-stage payload that can drop a cryptocurrency miner and steal system data, private SSH keys, environment variables, and contents linked to particular folders (like ~/.aws) to File.io.
One of these repositories, “github[.]com/hpc20235/yawpp,” was titled “Yet Another WordPress Poster.” It had two scripts before GitHub removed it: one to verify WordPress login information and another to generate posts via the XML-RPC API.
However, the program also contained malicious code in the form of a package called @0xengine/xmlrpc, which was a rogue npm dependency and spread the same infection. It was first released to npm in October 2023 as a Node.js XML-RPC server and client built with JavaScript. You can no longer download the library.
Notably, cybersecurity company Checkmarx said last month that the npm package had received around 1,790 downloads and had been in use for more than a year.
According to reports, the yawpp GitHub project compromised unaffiliated threat actors who obtained the credentials illegally, allowing the exfiltration of approximately 390,000 passwords—likely for WordPress accounts—to an attacker-controlled Dropbox account.
Datadog informed The Hacker News that it used threat information sharing with a third-party intelligence source and its own telemetry to figure out how many credentials were exposed.
Sending academics phishing emails that deceive them into clicking on URLs that tell them to open the terminal and copy-paste a shell command to carry out a purported kernel upgrade is another way to spread the payload. This is the first recorded instance of a ClickFix-style attack against Linux computers.
“The second initial access vector that MUT-1244 utilizes is a set of malicious GitHub users publishing fake proof-of-concepts for CVEs,” the researchers explained. “Most of them were created in October or November [2024], have no legitimate activity, and have an AI-generated profile picture.”
Alex Kaganovich, the worldwide head of offensive security red team at Colgate-Palmolive, had earlier called attention to several of these fake PoC repositories in mid-October 2024. An intriguing aspect, however, is that the second-stage virus spreads in four different ways:
- Configuration compilation file with a backdoor
- A malicious payload concealed within a PDF document
- Using a dropper in Python
- A malicious npm package called “0xengine/meow” was included.
“MUT-1244 was able to compromise the system of dozens of victims, mostly red teamers, security researchers, and anyone with an interest in downloading PoC exploit code,” the researchers said. “This allowed MUT-1244 to gain access to sensitive information, including private SSH keys, AWS credentials, and command history.”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, The Mainstream formerly known as CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, The Mainstream formerly known as CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK
