CP
cyberpings
Malware & RansomwareHIGH

Malware - ForceMemo Compromises Python Repositories on GitHub

SWSecurityWeekΒ·Reporting by Ionut Arghire
πŸ“° 4 sourcesΒ·Summary by CyberPings EditorialΒ·AI-assistedΒ·Reviewed by Rohit Rana
Updated:
🎯

Basically, hackers used stolen passwords to break into GitHub accounts and add harmful code to projects.

Quick Summary

In a troubling development, hundreds of GitHub accounts have been compromised due to the ForceMemo campaign. This attack injects malware into Python repositories, risking sensitive data theft. Developers are urged to strengthen their security measures to prevent further breaches.

What Happened

A recent wave of attacks has seen threat actors exploiting stolen credentials from the GlassWorm malware campaign to compromise hundreds of GitHub accounts. This new campaign, dubbed ForceMemo, began on March 8, targeting various Python projects, including Django applications, machine learning code, and PyPI packages. The attackers are injecting malicious code into repositories, aiming to steal cryptocurrency and sensitive information from developers.

The method used in the ForceMemo campaign is particularly insidious. By rebasing legitimate commits on the default branch and adding obfuscated malicious code, the attackers can manipulate repositories without raising immediate suspicion. The commit message and author date remain unchanged, making it difficult for developers to detect the compromise.

Who's Being Targeted

The ForceMemo campaign has primarily targeted developers working on Python projects across GitHub. This includes a wide range of repositories, from simple applications to complex machine learning frameworks. The use of compromised developer credentials means that any account with multiple repositories is at risk, as the malware injection affects all associated projects.

The attackers are particularly focused on developers who may have access to cryptocurrency, as the injected code is designed to query a specific Solana blockchain address for transaction instructions. This indicates a clear intent to siphon off cryptocurrency assets, highlighting the financial motivations behind the attack.

Signs of Infection

Developers should be vigilant for signs of infection, particularly if they notice unexpected changes in their repositories. Key indicators include:

  • Unexplained commits that appear in the repository without a clear author.
  • Changes in commit dates that do not align with the developer's activity.
  • Any unusual behavior from applications that rely on the compromised repositories.

The injected malware performs system checks and avoids machines with Russian language settings, suggesting a targeted approach by Eastern European cybercriminals. This level of specificity points to a well-planned operation, increasing the urgency for developers to secure their accounts.

How to Protect Yourself

To safeguard against such attacks, developers should take immediate action:

  • Enable two-factor authentication (2FA) on GitHub accounts to add an extra layer of security.
  • Regularly audit repositories for unauthorized changes or suspicious commits.
  • Use strong, unique passwords and consider employing a password manager to manage credentials securely.

Additionally, developers should stay informed about ongoing threats and be cautious of any suspicious activity in their accounts. By implementing these protective measures, developers can reduce the risk of falling victim to similar attacks in the future.

πŸ”’ Pro insight: The ForceMemo campaign highlights the evolving tactics of threat actors, leveraging stolen credentials to execute sophisticated malware injections across multiple repositories.

Original article from

SWSecurityWeekΒ· Ionut Arghire
Read Full Article

Also covered by

CYCyber Security News

ForceMemo Hijacks GitHub Accounts, Backdoors Hundreds of Python Repos via Force-Push

Read Article
SCSC Media

GlassWorm campaign evolves: ForceMemo attack targets Python repos via stolen GitHub tokens

Read Article
HEHelp Net Security

GitHub-hosted malware campaign uses split payload to evade detection

Read Article

Share

Related Pings

HIGHMalware & Ransomware

Malware Newsletter Round 91 - Latest Threats and Insights

The latest malware newsletter reveals new threats like Infiniti Stealer and npm supply chain attacks. Developers and organizations must stay alert to evolving risks in cybersecurity.

Security AffairsΒ·
HIGHMalware & Ransomware

Malicious Email Delivers CMD Malware - Privilege Escalation Alert

A malicious email has delivered a .cmd malware file that escalates privileges and bypasses antivirus systems. Users are at risk of significant system compromise. Awareness and immediate action are vital to mitigate this threat.

Security AffairsΒ·
HIGHMalware & Ransomware

Axios NPM Package Compromised - Supply Chain Attack Exposed

A major supply chain attack compromised the Axios NPM package, affecting millions of users. Malicious versions deployed a RAT, posing serious security risks. Swift action was taken to remove the threats.

Trend Micro ResearchΒ·
HIGHMalware & Ransomware

Brokk Hacked - Play Ransomware Exposes Sensitive Data

Brokk has reportedly been hacked by Play ransomware, leading to the leak of sensitive corporate data. This incident could severely impact the company's reputation and security. Organizations must bolster their defenses to prevent similar breaches.

SC MediaΒ·
HIGHMalware & Ransomware

Chaos Malware - New Targeting of 64-bit Linux Servers

Chaos malware has evolved to target 64-bit Linux servers, expanding its attack surface. This shift raises alarms for organizations relying on these systems. Enhanced security measures are now crucial to protect against potential larger-scale attacks.

SC MediaΒ·
HIGHMalware & Ransomware

Phorpiex Botnet - Spreading Ransomware and Sextortion Tactics

The notorious Phorpiex botnet is back, spreading ransomware and sextortion schemes. Millions are at risk as it targets users globally. Stay alert and protect your devices from this evolving threat.

Cyber Security NewsΒ·