On October 30, the community reported existence of malicious code within versions 2.0.5, 2.0.6, and 2.0.7 of the npm package.

The package maintainers replied and confirmed the attackers were able to take over the NPM package using a leaked automation token which was used to automate publications of NPM packages.

The malicious code displays a UI overlay, asking to connect the crypto wallets by clicking or scanning a QR. By doing so, this prevent usage of the infected website

This is yet another reminder on how sensitive the software supply chain is

Would MFA Have Prevented This?

Multifactor authentication is designed to challenge humans. There are three authentication factors that can be used and 2FA requires two:

1. something you know (like a password)
2. something you have (like a one-time-use token)
3. something you are (a biometric identity like a fingerprint or a speech pattern)

Going back two years ago – NPM decided to enforce 2FA on all users. Great move on NPM side as we witnessed many account takeover incidents happening.

Sounds Great, Doesn’t Work (?)

While this does secure NPM account takeover attacks from the interactive login page, enforcing 2FA on all accounts comes with a side-effect:

• non-human identities can’t answer 2FA challenges.

So, when you define an NPM automation token — whoever gets your long-auto generated password is able to bypass your 2FA controls to make new version releases.

Back to @lottiefiles/lottie-player , even with 2FA configured, the threat actors somehow got the NPM automation token set in the CI/CD pipeline to automate version releases to publish the malicious versions 2.0.5, 2.0.6, and 2.0.7 of the npm package

The Malicious Code

All it does is displaying a UI overlay to steer the victim’s focus on connecting its crypto wallets to the malicious interface.

Conclusion

Kudus to the package maintainers for quickly releasing an incident response report

Freeze your deps tightly. Don’t rush to update to the latest if it’s not a security update and it’s a new release.

Check and make sure you don’t have the malicious versions 2.0.5, 2.0.6, and 2.0.7 of lottie-player npm package.

The incident highlighted limitations of 2FA in automation environments, as automation tokens bypass these controls. This can happen to any major project.

This leads to Denial of Service (DOS) for those who install “everything, “which causes issues like storage space exhaustion and disruptions in build pipelines.

The creators of the “everything” package have published over 3000 sub-packages. These sub-packages are designed to split the dependencies into chunks and to depend on all publicly available NPM registry packages. 

The creators have also registered the domain https://everything.npm.lol/. On this website, they showcase the ensuing chaos and incorporate a famous meme from The Elder Scrolls V: Skyrim, adding an extra layer of humor or mockery to the situation.

Not the first time this has happened

A year ago, we encountered a situation with the package “no-one-left-behind” by Zalastax. This  package depended on every publicly available npm package, creating an intricate web of dependencies. Despite being removed by the npm security team, a new development emerged on Jan 28th, 2023. Over 33,000 packages under the scope “infinitebrahmanuniverse,” prefixed with “nolb-,” surfaced as sub-packages of “no-one-left-behind.”

The downsides of these trolls

Imagine you did an experiment, published a package to NPM and now you want to remove your NPM package. You can’t do it if other packages are using it. The problem is, since “everything” relies on every package (including yours), your package gets stuck, and there’s some unknown package preventing you from removing it.

An attempt to delete the packages

It doesn’t seem PatrickJS realized the headache his troll would cause to some users. Two days after the prank packages were published, he created an issue and shared that he is unable to delete the packages since the NPM mechanism prevents deletion of published packages once they are being used by other projects and calls for help from NPM support team. 

Summary

This act of digital mischief by PatrickJS echoes past incidents, highlighting ongoing challenges in package management and the cascading effects of dependencies within the NPM ecosystem. The situation underlines the comedic yet serious consequences of such pranks in the developer community.

The Hub of AI Models

At first glance, the HuggingFace Hub appears to be a treasure trove of harmless models. It provides a rich marketplace featuring pre-trained AI models tailored for a myriad of applications, from Computer Vision models like Object Detection and Image Classification, to Natural Language Processing models such as Text Generation and Code Completion.

Screenshot of the AI model marketplace in HuggingFace

“Totally Harmless Model”

While browsing HuggingFace’s marketplace for models, “ykilcher/totally-harmless-model” caught my attention. I was excited to try it out, so I loaded the model using a simple Python script and to my surprise it opened a browser in the background.

This model was created by the Researcher and YouTuber Yannic Kilcher, as part of his video on demonstrating the hidden dangers of loading open-source AI models.  I was inspired by his research video (which I highly recommend watching), so I wanted to highlight the risks of malicious code embedded in AI models. 

The Mechanics of Model Loading

Many HuggingFace models in the marketplace were created using the PyTorch library, which makes it super easy to save/load models from/to file. The file serialization process involves using Python’s pickle module, a powerful built-in module for saving and loading arbitrary Python objects in a binary format.

Pickle’s flexibility is both a blessing and a curse. It can save and load arbitrary objects, making it a convenient choice for model serialization. However, this flexibility comes with a dark side – as demonstrated on “ykilcher/totally-harmless-model” – the pickle can execute arbitrary code during the unpickling process.

Embedding Code in a Model

To show how easy it is, we’ll use a popular model from the marketplace (gpt2) and modify it to execute code when loaded.

Using the powerful Transformers Python library, we’ll start by loading our base model, ‘gpt2’, and its corresponding tokenizer. 

Next, we’ll declare a custom class called ExecDict, which extends the built-in dict object and implements the __reduce__ method which allows us to alter the pickle object (this is where we’ll execute our payload). 

Finally, we’ll create a new model, ‘gpt2-rs’, and use the custom save_function to convert the state dict to our custom class. 

Python script produces a copy of an existing model with an embedded code. Source

This script outputs a new model called “gpt2-rs” based on “gpt” and executing the payload when loaded.

Hugging Face (with collaborations from EleutherAI and Stability AI) has developed the Safetensors library to enhance the security and efficiency of AI model serialization. The library provides a solution for securely storing tensors in AI models, emphasizing security and efficiency. Unlike the Python pickle module, which is susceptible to arbitrary code execution, Safetensors employs a format that avoids this risk, focusing on safe serialization. This format, which combines a JSON UTF-8 string header with a byte buffer for the tensor data, offers detailed information about the tensors without running additional code.

In Closing…

It’s crucial for developers to be aware of the risks associated with LLM models especially when contribution from strangers on the internet as they may contain malicious code.

There are open-source scanners such as Picklescan which can detect some of these attacks.

In addition, HuggingFace performs background scanning of model files and places a warning if they find unsafe files. However, even when flagged as unsafe, HuggingFace still allows those files to be downloaded and loaded.

When using or developing models, we encourage you to use Safetensors file. If the project you are using has yet to transfer to this file format, Hugging Face allows you to convert it by yourself

For research purposes, I open-sourced here the various scripts I’m using to demonstrate the risks of malicious AI. Please read the disclaimer in this GitHub repo if you’re planning on using them.

The highly popular NuGet package, Moq, with total downloads of 475M+, released a new versions 4.20.0 and 4.20.1 on August 8th with a new sub-dependency that has hidden executable code that reads the user’s local git config, extracting the developer’s email address, hashing it, and sending it to a cloud service.

This incident was reported yesterday by Reddit user u/DinglDanglBob and also reported on the project’s GitHub page as an issue.

About Moq

Moq is a highly popular open-source project to provide a mocking library for .NET applications. From the project’s GitHub page:

Moq (pronounced “Mock-you” or just “Mock”) is the only mocking library for .NET developed from scratch to take full advantage of .NET Linq expression trees and lambda expressions, which makes it the most productive, type-safe and refactoring-friendly mocking library available. And it supports mocking interfaces as well as classes. Its API is extremely simple and straightforward, and doesn’t require any prior knowledge or experience with mocking concepts.

Moq’s New Sub-Dependency – “SponsorLink”

Since version 4.20.0 of Moq, Devlooped.SponsorLink NuGet package has been added as a new dependency.

As it turned out, Devlooped.SponsorLink is a closed-source project, provided as a compiled dll with obfuscated code, which scans the git config and sends the hashed email of the current developer to a cloud service. This code is executed during the application build and if you are depends on Moq there is no option to disable this.

Obfuscated Code

User account d0pare commented and found that the library spawns an external git process to get the developer’s email from the command git config --get user.email , then does some hashing and sends the result to hxxps://cdn.devlooped[.]com/sponsorlink.

private static string u00a0(string P_0) {
  try {
    Process process = Process.Start(new ProcessStartInfo(
      // this is obfuscated value of "git"
      6FA47342-3716-4274-AF01-7A37793E0E97.u206f(), 

      // this is obfuscated value of "config --get user.email"
      6FA47342-3716-4274-AF01-7A37793E0E97.u3000()
    ) {
        RedirectStandardOutput = true,
        UseShellExecute = false,
        CreateNoWindow = true,
        WorkingDirectory = P_0
    });
    process.WaitForExit();
    if (process.ExitCode != 0) {
      return null;
    }
    return process.StandardOutput.ReadToEnd().Trim();
  } catch {}
  return null;
}

He later discovered that the library also loads settings from the URL hxxps://cdn.devlooped[.]com/sponsorlink/settings.ini and is evasive in case one of the following environment variable exists

CI
TF_BUILD
TRAVIS
BUDDY
TEAMCITY_VERSION
APPVEYOR
JENKINS_URL

Users Looking For Alternatives

And I don’t blame them. Many users seem concerned about GDPR compliance as their products are built using Moq. This user commented that he won’t be able to use this package any more:

This is a serious GDPR breach, and we won’t be able to continue using this lib.
Also, having an obfuscated package included means that we can’t (easily) know what is happening. It could harvest any other information from a developer’s machine without any user consent.

Another user, SefaOray also commented:

We are removing moq immediately due to this.

and many more similar comments in this GitHub thread..

The Maintainer’s Response

GitHub user account kzu, the author behind this, commented that it was simply part of testing, and he wonder “why so much anger over sponsoring which can be done with as little as $1”

After posting this message, kzu probably panicked and decided to revert and unpublish versions 4.20.0 and 4.20.1 while quickly publishing 4.20.2without the new dependency in Devlooped.SponsorLink NuGet package.

Summary

Yesterday the owner of the popular NuGet package Moq incorporated a new sub-dependency, which exfiltrates the user info without his consent to hxxps://cdn.devlooped[.]com — a domain owned by the author of the Moq.

This sparked a debate on Reddit and GitHub, leaving many concerned users accusing this action of GDPR violations and statements regarding the legitimacy of his action.

Many organizations that built software using those releases are exposed to GDPR compliance.

In my opinion, the author did not intend to cause any harm but ended up damaging the trust of his users. This could have been prevented if it had been open for discussion prior to publishing the new changes and accepting the content of his users.

We must understand that it’s our responsibility when we use open source. This is why we need to support open-source maintainers in order to have a healthy open-source ecosystem.

Timeline

2023–01–24: Author published a blogpost suggesting a new solution to open source sustainability using the SponsorLink service
2023–02–04: Devlooped.SponsorLink first release to NuGet
2023–08–08: Moq released new versions 4.20.0 and 4.20.1 with Devlooped.SponsorLink as a dependency
2023–08–09: Moq released version 4.20.2 removing the Devlooped.SponsorLink dependency

IOC

hxxps://cdn.devlooped[.]com/sponsorlink

Packages

Other NuGet Packages using Devlooped.SponsorLink

devlooped.cloudstorageaccount.source
devlooped.tablestorage
devlooped.cloudstorageaccount
devlooped.sponsorlink
isbn
gitinfo
thisassembly.assemblyinfo
thisassembly.constants
thisassembly.project
thisassembly.git
thisassembly.strings
thisassembly.metadata
thisassembly.resources
nugetizer
devlooped.credentialmanager
websocketeer
websocketchannel
devlooped.web
packagereferencecleaner
mvp.xml
devlooped.dynamically
thisassembly

Subdomain Hijacking

Subdomain hijacking is a type of cyber attack where an attacker takes control of a subdomain of a legitimate domain, and uses it to host malicious content or launch further attacks.

In a subdomain hijacking attack, the attacker can find forgotten settings on free hosting websites such as GitHub Pages, which are not mapped anymore. The weak validation grants attackers permission to use those subdomains.

CocoaPods Casino

Guy Nachshon, a brilliant security researcher in my team, found out the subdomain cdn2.cocoapods.org was used years ago and abandoned. However, the DNS records still pointed to the GitHub Pages hosting service, and attackers hijacked it to host a fishy casino website.

While we were investigating this, the subdomain got freed on GitHub Pages (probably due to an update/mistake of the attackers).

We jumped on the opportunity and created a simple repository to hold this subdomain and prevent another takeover by those casino attackers.

This works as long as the subdomain is unoccupied by another GitHub Pages project and is super simple to set up -> settings, enable GitHub Pages, type the subdomain “cdn2.cocoapods.org”:

Watch this short demo video to see it in action:

Impact

Generally speaking, the impact of hijacking a subdomain of a known website can trick users into thinking the content they are seeing is legitimate and created by the known brand.

Furthermore, organizations usually allow network traffic to such dev-related legitimate resources from sensitive networks to support the engineering process.

Last year, we saw cases in which attackers hosted malicious exe file on GitHub and another example where an image hosted on imgur.com contained malicious python code. Hence, it’s quite clear what’s the potential of hijacking a subdomain of a popular and legitimate brand.

Conclusion

I disclosed the findings to CocoaPods in this GitHub issue, and huge respect for the fast response and removing the subdomain record.

It’s ridiculous how easy it is to take over an abandoned subdomain. This made me wonder – should this be that easy? Should GitHub enforce 2-way validation when linking a domain to a GitHub Pages project? Like validating the exact repository URL? IMHO – yes.

See this case as a warning if you have created subdomain records for side-projects that over time became obsolete, like cdn2.cocoapods.org. I suggest removing them, as someone might hijack your subdomain.

• Joint research of Checkmarx and Illustria resulted with an anomaly discovered in the open-source ecosystem
• Over 144,000 packages were published to NuGet, NPM, and PyPi by the same threat actors
• Investigation revealed a new attack vector – attackers spam open-source ecosystem with packages containing links to phishing campaigns
• All packages and related user accounts were most likely created using automation
• The packages share similar project description and auto-generated names
• The threat actors refer to retail websites with referral ids to benefit the threat actors with referral rewards
• Our teams disclosed the findings in this report and most of the packages were unlisted

Working Together, Keeping the Ecosystem Safe

The ongoing battle against software supply chain attackers continues to be challenging as attackers constantly adapt and surprise with new techniques. In order to better defend against these threats, Checkmarx and Illustria have joined forces and combined their research efforts. This collaboration led to the discovery of a significant anomaly in the NuGet, NPM, and PyPi ecosystems.

NuGet Anomalies

Our technology collects and indexes evidence related to packages from all open-source ecosystems, allowing us to query historical data for new insights and discover suspicious activities through a process we call “retro-hunting.”

A few months ago, we discovered an anomaly in the NuGet ecosystem when we cross-referenced new information with our databases. Clusters of packages had been published in large quantities to the NuGet package manager. Further investigation revealed that the packages were part of a new attack vector, with attackers spamming the open-source ecosystem with packages containing links to phishing campaigns.

In this situation, it seems that automated processes were used to create over 135,000 packages in NuGet and related user accounts. The descriptions for these packages contained links to phishing campaigns. Our teams alerted the NuGet security team, and they replied that the packages were unlisted to protect users of the open-source ecosystem.

After investigating the NuGet anomaly with the creation of over 135,000 packages and related user accounts, we discovered that similar activity had also taken place in NPM and PyPi.

A total of 144,294 phishing-related packages were detected, all of which were created by the same threat actor. Of these, 136,258 were published on NuGet, 212 on NPM, and 7,824 on PyPi

Automated Packages and User Accounts

The large scale of the NuGet package publication and the patterns in the user accounts suggest that the process was automated. Many of the usernames followed the pattern “<a-z><1900-2022>”, and many users had published the same number of packages. Our team disclosed this information to the NuGet security team, who unlisted the packages from NuGet’s search results. While the packages are no longer easily accessible, their web pages are still available on NuGet’s website, and the packages can still be downloaded from these pages. Regarding the other ecosystems, the packages were taken down.

Phishing Sites in Package Description

The attackers used a large number of packages with names related to hacking, cheats, and free resources to promote their phishing campaign. Some of the package names included “free-steam-codes-generator,” “yalla-ludo-diamond-hack,” “a3-still-alive-hack-diamonds”, and “project-makeover-hack-gems.” These names were designed to lure users into downloading the packages and clicking on the links to the phishing sites.

The descriptions of all the packages we found contained links to phishing sites. The threat actors behind this campaign likely wanted to improve the search engine optimization (SEO) of their phishing sites by linking them to legitimate websites like NuGet. This highlights the need to be cautious when downloading packages and only to use trusted sources.

The messages in these packages attempt to entice readers into clicking links with promises of game cheats, free resources, and increased followers and likes on social media platforms like TikTok and Instagram.

The phishing campaign linked to over 65,000 unique URLs on 90 domains, with each domain hosting multiple phishing webpages under different paths. The deceptive webpages are well-designed and, in some cases, even include fake interactive chats that appear to show users receiving the cheats or followers they were promised.

These chats will even respond to messages if the reader chooses to participate, but these are all automated and fabricated. This highlights the need for caution when interacting with links in packages and the importance of only using trusted sources.

The websites included built-in fake flow that pretended to process data and generate the promised “gifts.” However, this process most of the time failed, and the victim was then asked to enter a “human verification” phase that involved multiple sites referring the user from one to another. These sites included surveys that asked the user to respond to various questions, leading to additional surveys or eventually to legitimate eCommerce websites. This shows the importance of being cautious when interacting with links in packages and only using trusted sources.

Referrals Rewards

While investigating the phishing websites, we noticed that some of them redirected to eCommerce websites with referral IDs. For example, one of our experiments resulted in being redirected to AliExpress, one of the world’s largest online retail platforms. Like many other retail websites, AliExpress offers a referral program that rewards members for referring new customers to the platform.

If the threat actors refer their victims to AliExpress and they make a purchase, the threat actors’ account will receive a referral reward in the form of a coupon or store credit. This highlights the potential financial gain for threat actors who engage in phishing campaigns like this one.

Conclusion

These attackers invested in automation in order to poison the entire NuGet, PyPi, and NPM ecosystem with 144,294 packages. This allowed them to publish a large number of packages in a short period of time, making it difficult for the different security teams to identify and remove the packages quickly. Automating the process also allowed the attackers to create a large number of user accounts, making it difficult to trace the source of the attack. This shows the sophistication and determination of these attackers, who were willing to invest significant resources in order to carry out this campaign.

The battle against threat actors poisoning our software supply chain ecosystem continues to be a challenging one, as attackers constantly adapt and surprise with new and unexpected techniques.

In order to better defend against these threats, Checkmarx and Illustria have teamed up to combine their research efforts. This collaboration led to the discovery of a significant anomaly in the NuGet ecosystem.

By working together, we can stay one step ahead of attackers and keep the ecosystem safe. We believe this kind of collaboration is crucial in the fight against software supply chain attacks, and we will continue working together to protect the open-source ecosystem.

List of Packages

The scale of this phishing campaign is significant, and you are welcome to download the full dataset hosted on GitHub Gist (11mb)

This will allow you to further analyze the data and gain a better understanding of the scope and nature of the attack.

If you would like access to the original metadata or samples from this phishing campaign, please feel free to send an email to supplychainsecurity@checkmarx.com. Our team will be happy to provide you with the information you need.

IOC

In total, we analyzed over 65,000 unique URLs (click to get the full list), which we were able to reduce to approximately 90 domains. (A link to the full list is provided.) This shows the scale of the phishing campaign and the effort that was required to identify and analyze all of the URLs involved.

• tinybit[.]cc
• gamecoins[.]codes
• gamecodeclaim[.]com
• gamesapp[.]pro
• playersworld[.]xyz
• lucymods[.]com
• redirekt[.]in
• rebrand[.]ly
• gluegames[.]xyz
• igetforfree[.]com
• techdoy[.]com
• gamemasters[.]xyz
• fabgames[.]xyz
• knightmods[.]com
• gamehunters[.]win
• getfreegem[.]com
• betabuff[.]xyz
• gamesconquest[.]xyz
• gamersahead[.]com
• gamedip[.]xyz
• bizgames[.]xyz
• gamedips[.]xyz
• gamedips[.]com
• tapasgaming[.]xyz
• iwantforfree[.]com
• gainforfree[.]com
• bigmouse[.]club
• flamingame[.]com
• codesrbx[.]com
• free-albums[.]org
• lootcodes[.]com
• madgames[.]xyz
• gopremium[.]win
• giftboxfree[.]com
• cheersgamers[.]com
• gamervalvet[.]com
• gamesflow[.]xyz
• nastygames[.]xyz
• gameysky[.]xyz
• buxx[.]site
• gamerblind[.]com
• gamemasters[.]xyz
• gamecodeclaim[.]com
• wikiredeem[.]com
• codefy[.]xyz
• gaminghorn[.]com
• hackcheatsgenerators[.]com
• coub[.]com
• wbld[.]xyz
• arcades[.]tech
• gamerscrew[.]xyz
• kaciestarrtriplett[.]com
• gopremium[.]win
• vipgamesgen[.]com
• freerobux[.]best
• rbxt[.]site
• boom-beach-free-diamonds[.]com
• gamecheats[.]win
• dragon-city-free-gems[.]com
• getfortskins[.]com
• unlocker[.]cc
• webstoreusa[.]net
• sbld[.]xyz
• newsdashes[.]com
• chatgamings[.]com
• m[.]vegas7games[.]com
• giftcardsking[.]xyz
• nancymarkle[.]com
• g4ming[.]cc
• justpremium[.]xyz
• kachifpro[.]info
• ocean-of-hacks[.]com
• appmobileforce[.]com
• gemtoon[.]com
• cheersgamers[.]compubg
• techiesbay[.]com
• supergame100[.]com
• vegas7games[.]pro
• windmod[.]icu
• gamerslab[.]org
• smash[.]gg
• bandicam[.]com
• onergfx[.]xyz
• wefunder[.]com
• flamingame[.]comproject
• devices[.]by
• gametown[.]xyz
• gainforfree[.]compubg
• imv[.]quest
• spotifyplus[.]pro
• thenewsref[.]com
• correlsense[.]com
• instagramhackonline[.]com

Checkmarx discovered ~200 malicious NPM packages with thousands of installations linked to an attack group called “LofyGang”.

This attack group has been operating for over a year with multiple hacking objectives:

• Credit card information
• Discord “Nitro” (premium) upgrades
• Streaming services accounts (e.g. Disney+), Minecraft accounts, and more.

Our findings were disclosed to the security teams of GitHub, NPM, Repl.it, Discord, and more.

We’ve launched a tracker website https://lofygang.info/ to share the findings about these attackers and share the full list of LofyGang’s related packages here.

Connecting the Dots

In August 2022, we bumped into a couple of LofyGang’s malicious packages. It started with a report from one of our internal engines. Our researchers immediately began investigating and crossing the IOC using our internal retro-hunting tools. This helped reveal more and more connections to other packages, and some of the packages linked to reports from Sonatype, SecureList, and JFrog, but each report was a small piece of the big puzzle, as you can see below. The detective board was so overloaded at some point that we had to zoom out. See the image below. We are also sharing the detective board PDF file here.

Historical Hunting

When defenders disclose malicious packages to package managers (NPM, PyPi, etc..), the package managers simply delete the related release artifacts and metadata.

While this does prevent users from downloading the malware, it makes things hard for defenders to (a) know what happened, as this is not documented, and (b) learn and improve from the attacker’s activities as it’s almost impossible to get the removed evidence.

Checkmarx research team created internal tools to continuously collect open source-related evidence. This is powering our research process; as you can see in this report, it helps us reveal and correlate deleted historical evidence and re-investigate samples which assist us in telling you the story of LofyGang over time. To read more about the fruits of retro-hunting, check out this story.

About LofyGang

By observing LofyGang’s activities across the internet, it appears they are an organized crime group focused on stealing and sharing stolen credit cards, gaming and streaming accounts, and more.

They create sock-puppets accounts using a closed dictionary of names with slight permutations of keywords such as lofy, life, polar, panda, kakau, evil, devil, and vilão (villain in Portuguese).

As we explored this case, we guessed their origin is Brazil as much of the evidence contained Brazilian Portuguese sentences and even a file called “brazil.js”, which contained malware found in a couple of their malicious packages.

Discord Server

LofyGang’s Discord server was created a year ago, on October 31, 2021, and seems to be the main channel of communication between the group’s administrators and their members.

In this Discord server, you can find technical support for the group’s hacking tools, a dark meme group, and a dedicated bot responsible for a giveaway of Discord Nitro upgrades.

Discord Bot – “Lofy Boost”

LofyGang created a Discord bot “Lofy Boost” to deploy stolen credit cards on the operator’s account. When calling the bot command “ph!boost”, the operator must provide it with his personal credentials. Also, LofyGang stated that whoever uses this bot will also automatically boost LofyGang’s Discord server.

Cracked.io Contributions

The group is contributing to an underground hacking community under the alias DyPolarLofy, where  they leak thousands of Disney+ and  Minecraft accounts, promote their hacking tools under their GitHub page, promote their bots, and more.

Fake Instagram Followers As-A-Service

It seems that LofyGang’s main offering in that underground hacking community is to sell fake Instagram followers. This links to some of the malicious package profiles; for example, the package “fetch-string” is linked to the “victorjxl” Instagram account, which appeared to be an account with fake followers.

GitHub Profile

The group is hosting hack tools under the GitHub account PolarLofy. Their open source repositories offer tools and bots for Discord, such as:

• Discord spammer
• Password stealer
• Nitro Generator
• Chat Wiper
• And more

YouTube Tutorials

LofyGang has a YouTube channel with self-promotion content, such as video tutorials demonstrating how to use their hacking tools. Their channel has almost 4k subscribers.

Using Legitimate Services as C2

Discord, Repl.it, glitch, GitHub, and Heroku are just a few services LofyGang is using as C2 servers for their operation.

Malicious Packages

We were able to trace ~200 malicious open-source packages published in the past year. We saw several classes of malicious payloads, general password stealers, and Discord-specific persistent malware; some were embedded inside the package, and some downloaded the malicious payload during runtime from c2 servers.

We’ve launched a tracker website https://lofygang.info/ to share the findings about these attackers and share the full list of LofyGang’s related packages here.

Typosquatting and StarJacking

Typosquatting is a technique commonly used by attackers targeting the open source supply chain that relies on typing mistakes. Attackers register permutations of typing mistakes of popular packages, like “falsk” instead of “flask.” This leads to the accidentally installation of a malicious package.

Starjacking, usually combined with Typosquatting, occurs whenever a package references a git repository; websites such as PyPi, NPM, etc., display the statistics such as GitHub issues, stars, forks, etc., accordingly. The package managers do not validate the accuracy of this reference, and we see attackers take advantage of that by stating their package’s git repository is legitimate and popular, which may trick the victim into thinking this is a legitimate package due to its so-called popularity. We saw Starjacking  in another previously reported attack last month.

LofyGang, like many other attackers, used Typosquatting and Starjacking techniques to appear popular and legitimate to developers. For instance, they often use the words “color” and “discord” in package names in addition to referencing a legitimate GitHub repository and copying another popular package’s description as-is.

Hiding in a Sub-Dependency

One of the techniques used by the attackers to avoid detection is to keep the first-level package clean from malicious code, but having it depend on another package that introduces the malicious code. We saw that whenever the malicious dependent package was caught and removed, the attackers would replace it with a new one, and publish a new version of the main package which was never removed.

The packages are purposely published by different NPM user accounts to decouple them as much as possible if one of them is caught.

Modifying the Installed Discord Application

Some of the group’s malicious packages were spotted modifying the installed Discord instance with hooks to steal credit cards, sent via Discord webhook straight to the attackers whenever a payment was made.

Anti-Deobfuscation

Some of the malicious payloads are obfuscated. When we tried de-obfuscating the payloads, we noticed that the writers of this code added anti-deobfuscation statements to be executed whenever de-obfuscation tools such as https://github.com/relative/synchrony were used. The anti-deobfuscation statements would unpack a naïve regular expression that jams the event loop, making debugging the malicious code confusing.

NPM Activity Over Time

Since the beginning of their malicious activities on NPM, we’ve seen a steady flow of dozens of malicious packages published per month.

Don’t Trust Code From Strangers, Especially Attackers

LofyGang’s hack tools also depend on malicious packages, which infect their operators with persistent hidden malware using the same capabilities as described above. For instance, we saw the tool “Discord-Mass-Dm” on GitHub, which depends on “small-sm” – one of LofyGang’s malicious packages.

Screenshot from the group’s hack tool “Discord-Mass-Dm” having a malicious dependency.

In addition, some reports from the underground community cautioned about LofyGang’s code examples, discord bots, and other contributions which were also infected.

Conclusion

The surge of recent open-source supply chain attacks teaches us that cyber attackers have realized that abusing the open-source ecosystem represents an easy way to increase the effectiveness of their attacks.

Communities are being formed around utilizing open-source software for malicious purposes. We believe this is the start of a trend that will increase in the coming months.

We’d like to thank our friends from Sonatype, SecureList, and JFrog for publishing their reports. By crossing those findings, we were able to connect the dots faster and create this investigation board which links the source of those activities to LofyGang.

We believe in sharing and working together to keep the ecosystem safe. Shoot us an email at supplychainsecurity@checkmarx.com if you’re interested in this incident’s samples or other data.

Tracker Website

We’ve launched a tracker website https://lofygang.info/ to share new findings about these attackers. This is an open source static website available on our GitHub. If you bump into more of these packages, feel free to contribute!

List of Malicious Packages

See the following list of malicious packages in this gist: https://gist.github.com/jossef/aaa9e45c062d973f18bd87c43b9c4fc7

IOC

To learn more about Checkmarx approach to Supply Chain Security, request a demo of our Checkmarx One Application Security Platform today. Or sign up for a 14-day free trial here.

On Saturday, August 13th, Checkmarx’s Software Supply Chain Security Typosquatting engine detected a large-scale attack on the Python ecosystem with multi-stage persistent malware.

The PyPi user account devfather777 published a dozen malicious Typosquatting packages under the names of popular projects with slight permutation.

All of those malicious packages contained a code executed upon installation, which downloads and executes a windows executable hosted on GitHub under the user account jagermager999 repository jagermager999/8746465cdg78cdsxasy8a

All of the findings were reported to the security teams of PyPi and GitHub

Attack Vector – Typosquatting

Typosquatting is technique attackers use many times to deliver malware to innocent victims, as seen before. This is based on the victim’s typing mistake: Usually, whenever they wish to install an open-source software while writing it down manually in the terminal command.

As typing mistakes are highly common, attackers take advantage of this and target similar names to popular open-source projects on the ecosystem, thus delivering malware to victims only sinned in making a typing mistake.

Targeting Highly Popular Packages

This attacker is targeting Python’s top packages such as idna, flask, docutils, and more, with over 500 million monthly downloads combined.

Attack Flow

Right after Checkmarx’s automatic engines detected the malicious packages we started an analysis process involving our security researchers analyzing this campaign and reverse engineering the dropped embedded malware to understand the full picture.

Dropping the Malware

The attack begins with a victim installing the malicious Python package. Then, the following Python code, embedded in the malicious package’s setup.py file, checks if the victim’s operating system is Windows. If not, it quits, and if so, it continues and downloads the file test.exe, which is hosted on GitHub under the user account jagermager999 repository jagermager999/8746465cdg78cdsxasy8a:

User Historical Records

Checkmarx SCS team have an evidence collection where every OSS package and its related metadata are being collected ASAP for evidence and potentially later analysis and comparison. We were able to locate the deleted records of PyPi user devfather777 as he was making experiments a couple of days before his attack to build the successful malicious payload and make end-to-end tests to ensure its working

In total, user devfather777 published 15 experiment package versions until achieving a successful working version.

Understanding “test.exe”

To uncover the complete picture of the malware capabilities, we initiated a reverse engineering process.

We started by scanning the file in VirusTotal (scan result), which resulted in 11 engines classifying this as malicious:

In addition, we found interesting relations in Virus Total, such as URLs and additional dropped files as it appear in this graph view:

We then ran a scan using multiple commercial sandbox servicers such as any.run https://app.any.run/tasks/1e8d9a86-6da7-496a-9500-49cc873d92ac/:

And Triage https://tria.ge/220813-r2v5haagfj/behavioral2:

Malware Self Installation

As the file “test.exe” is being fetched, saved as “tmp_file_pypi_29x7d0kf8.exe”, and executed – it installs itself by copying its file content into the Windows path – “C:Users<username>AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupsppvcc.exe”.

Placing itself in the Startup directory makes the malware persistent by executing itself after every reboot, which makes its installation very simple.

In addition, the malware installs a system wide Root CA with the CN “Some Company”. The installed certificate expired two years ago on September 28, 2020:

Malware Configuration

This malware is configurable and hiding inside some interesting features covered in the next section. Once this malware is executed, it makes an HTTP connection to the URL “hxxps://raw.githubusercontent.com/jagermager999/8746465cdg78cdsxasy8a/main/test.txt” and fetches the latest configuration file “test.txt” which is also hosted on the same GitHub repository jagermager999/8746465cdg78cdsxasy8a:

At the time of writing, the latest configuration observed was auditing the victim’s information and sending it to a unique generated pixel URL provided by the free legitimate service https://iplogger.org/:

Reverse Engineering

To get a better understanding of the malware’s hidden features provided with its configuration, we opened the malware in IDA and found the following findings after manually reverse engineering it:

• It’s a custom-made malware, written in C++ language
• Has encrypted strings, XOR key “e0” (hex, used in loops)
• Compiled on August 9th, 2022, which is the same date PyPi user devfather777 registered
• Has DGA capabilities as explained below
• Options to random data (perhaps DOS botnet) to desired destination data over TCP or UDP socket
• Ability to uninstall itself
• Download URL and execute

Configuration Parser

As the malware configuration changed multiple times in the past 10 days since the user created this GitHub repository, as we try to understand the format used by this malware’s simple .txt also assisted reverse engineering:

• Z0 – Continues to run on a new thread
• d – Tries to download the URL and execute the response
• u – Same as flag “d” but it also uninstalls itself by running command “/c TIMEOUT /T 3 /NOBREAK & del C:UsersWin10AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupsppvcc.exe /q /f & exit”
• tf – Random send over TCP socket to desired address
• uf – Random send over UDP socket to desired address

Domain Generation Algorithm (DGA)

In the behavioral analysis results we saw a very interesting pattern appears to be a DGA. We later confirmed it with reverse engineering.

After 3 failed attempts to fetch the configuration from the URL “hxxps://raw.githubusercontent.com/jagermager999/8746465cdg78cdsxasy8a/main/test.txt” the malware will start making HTTP requests to the following pattern:

• hxxps://raw.githubusercontent.com/ds8xzki890dsq2a1/1/master/main.js
• hxxps://raw.githubusercontent.com/ds8xzki890dsq2a2/1/master/main.js
• hxxps://raw.githubusercontent.com/ds8xzki890dsq2a3/1/master/main.js
• hxxps://raw.githubusercontent.com/ds8xzki890dsq2a4/1/master/main.js
• …
• hxxps://raw.githubusercontent.com/ds8xzki890dsq2a21/1/master/main.js
• hxxps://raw.githubusercontent.com/ds8xzki890dsq2a22/1/master/main.js
• hxxps://raw.githubusercontent.com/ds8xzki890dsq2a23/1/master/main.js
• …

We checked to see if one of these usernames are registered and none were found taken. This is the first time we see a malware in the software supply chain ecosystem using DGA or in this case UGA to allocate generated name for new instructions to have for the malicious campaign.

Evasive

This malware shipped with code to avoid being executed on sandbox environments. The anti-sandbox code inside has multiple “sleep” attempts and performance counts measurements.

Impact

The packages targeted were chosen for one reason – their popularity. All dozen packages combined have over 500 million monthly downloads.

Attackers are getting more and more sophisticated. This example is just a reminder on how creative attackers can become.

Using a legitimate service such as GitHub to host malware and grab it dynamically during installation will most likely not raise red flags as GitHub is a legitimate service many OSS use by design during installation.

We are dealing with a very experienced attacker with skills in writing tailor made malware in C++, implementing domain generated algorithms – a first seen technique in use in modern software supply chain attacks.

IOCs

• sha256 97053af6922baa9d199a4fa04c461728ac636b8161bd5295c3e847bc0adbe360
• sha1 b209471a23252018d8424139fafcaa8fe7b200ea
• md5 a2f9c46844fb65c1a71bbd58a484f9f1
• hxxps://raw.githubusercontent.com/jagermager999/8746465cdg78cdsxasy8a/main/test.txt
• hxxps://raw.githubusercontent.com/ds8xzki890dsq2a*/1/master/main.js
  • URL starts with “raw.githubusercontent.com/ds8xzki890dsq2a” and ends with “/1/master/main.js”
• hxxps://iplogger.org/1RUEV4

List of Packages

See list below, comparing the popular malicious packages with the original packages:

Timeline

• 2022-08-02 – GitHub repo created with initial configuration
• 2022-08-03 – GitHub repo was updates with 2 malware configuration updates
• 2022-08-09 – PyPi user devfather777 registered
• 2022-08-09 – GitHub repo was updated with the malicious .exe file
• 2022-08-10 – 2 PyPi packages “club_house_api99” and “supertest9188” created and 15 total versions published evolving the final malicious code
• 2022-08-11 – the packages “club_house_api99” and “supertest9188” were deleted by the devfather777
• 2022-08-13 – 12 PyPi packages created all contain the final malicious code
• 2022-08-13 – Checkmarx SCS team started investigation
• 2022-08-13 – Checkmarx SCS reported the findings to PyPi and GitHub

Today, as it was revealed by Stephen Lacy in his tweet, he shared his findings of a large-scale campaign targeting random GitHub repositories with project clones containing credential stealing malware and remote shell execution on top of the original code.

Quickly after this tweet was published, either GitHub or the attacker removed most of the public forked projects, hiding the evidence.

A couple of hours later, a tweet from a newly created user account, @Pl0xP, claims that he is behind the attack and it is part of a bug bounty.

Attack Flow

This attack vector is possibly trying to target what users type in search-engines-related code snippets and land into these malicious random GitHub repositories, as discovered by Stephen Lacy when accidentally browsing through one of the infected fake clones. Here is a possible scenario:

1. The attacker forks a GitHub repository
2. The attacker alters the latest original commit and adds malicious code using the original committer identity
3. The malicious payload sends sensitive environment variables to the attacker’s infrastructure, and then waits for a command from the attacker to execute on the machine

It seems the attacker amended the most recent commit and modified it with malicious code. It is possible they planned to inject this code into the original forked project.

By amending or committing changes in the right manner, attackers can impersonate another GitHub user and make it look like the commit came from them. This is done by locally changing certain environment variables to obtain the username and email address of the user the attacker would like to impersonate. Read more about this technique.

Screenshot from one of the infected commits. Note the commit signature is unverified

Infecting GoLang Files

It appears that the attacker ran a program to “patch” each of the cloned project’s “.go” files with an init function, thus having the capabilities to exfiltrate environment variables and execute code on the victim’s machine. This malicious code will not run if the environment variable “e452d6ab=1” is defined as seen below:

Infecting NPM Project Files

It appears the attacker ran a program to “patch” each of the cloned project’s “package.json” files with “postinstall” statement, having a logic to exfiltrate environment variables and execute code on the victim’s machine as shown below:

Infecting YAML Files

YAML files, infrastructure configuration, and containers were modified with additional steps to execute a curl command to exfiltrate all environment variables to the custom service as shown below:

More file formats

We assume there are more file formats the attacker targeted in addition to the formats above.

Researcher’s work?

Although @Pl0xP responded a couple of hours later to the original tweet that this was done as part of a bug bounty, this is waiting to be proven. Nevertheless:

1. The code exfiltrated sensitive environment variables. Let’s say you’re doing a POC, and sending your computer name is more than enough.
2. After exfiltrating the data, the server sent commands to be executed on the victim’s machine.
3. Twitter username @Pl0xP is a new user account on twitter.

Summary

We are seeing more and more large scale attacks on the open source ecosystem, for example, the research here: https://cuteboi.info/

Those attacks can easily fool an unsuspected developer (read more). If this is the work of an ethical hacker, we need to set clear boundaries for what is allowed/un-allowed (read more).

We will update this blog as needed…

IOCs

• ovz1.j19544519.pr46m.vps.myjino.ru

This flaw is yet to be fixed and the steps to exploit it were recently published, making it highly likely that we will see more of these in the near future.

What happened?

A few days ago, someone launched an attack on three popular open-source packages. Two of these attacks were done by the use of the RepoJacking technique.

Due to the popularity of the packages that the attacker compromised — millions of total downloads — the attack was widely reported and yesterday a security researcher took ownership over these attacks and published his own blog explaining the technique he used.

The blogpost included the steps to reproduce a bypass for the “popular repository namespace retirement” protective measure put in place by GitHub to prevent users from hijacking repositories of renamed usernames.

Since this issue is still unresolved it is likely that other attackers will try to use this bypass and potentially cause serious damages to the open-source ecosystem by poisoning popular software packages with malicious code.

The Checkmarx Supply Chain Security team has been engaged in a responsible disclosure process of this issue for the past six months.

RepoJacking Protection

One of the many features GitHub provides is the ability to rename your user account. Users taking advantage of this renaming option leave all of their old repository names vulnerable to takeover by a technique referred to as RepoJacking.

To avoid this potentially harmful behavior, GitHub put in place the following protection measure: any repository with more than 100 clones at the time its user account is renamed, is considered “retired” and cannot be used by others.

To clarify: what is considered “retired’ is the namespace, meaning the combination of the username and the repository name.

For example, let’s take the repository named “repo” of the username “account-takeover-victim”.

This repository was recently cloned 100 times, which qualifies it for the popular repository namespace retirement.

At this point, the account’s owner decides to rename the username to whichever name they choose.

The practical result of this is that the username “account-takeover-victim” can now be claimed by anyone.

However, once the new owner of this username tries to open a new repository under the name “repo,” they will be blocked and get the following message:

This way, the old username is available for anyone to claim, but once this new owner of the username tries to create a new repository with a “retired” name, GitHub blocks this attempt.

Bypassing the protection

To bypass this “retired namespace” protective measure, attackers will need to be a little bit premeditated.

Instead of:

• Claiming the targeted username (“repo”)
• Then trying to create a repository with the targeted repository name (“account-takeover-victim”)

an attacker will need to:

• Open a random GitHub account
• Create a repository with the targeted repository name (“repo”)
• rename the account’s name to the targeted username (“account-takeover-victim”)

What’s the Impact?

The fact that any attacker can claim GitHub repositories that were renamed has an enormous impact on the open-source ecosystem.

One reason for this is the numerous languages that pulls packages’ code directly from version control systems, prominently GitHub, and uses GitHub URLs as pointers for packages.  

Among these languages are:

• Go
• Swift
• PHP

This puts dozens of thousand open-source packages at risk of hijacking. The Go and Swift languages alone have more than 10,000 packages that are vulnerable to this attack vector. The practical meaning of that is that thousands of packages can immediately be hijacked and start serving malicious code to millions of users and many applications.

Swift and GoLang vulnerable packages

Considering the major role GitHub plays in software development and specifically in open-source software, it’s reasonable to assume that other repercussions exist.

Disclosure

The Checkmarx Supply Chain Security (SCS) team discovered this issue over six months ago and has been engaged in a responsible disclosure process with GitHub ever since. We refrained from publishing this bypass as this issue is still not resolved by GitHub.

Although this bypass wasn’t made public at that time, Checkmarx SCS team has released the ChainJacking open-source tool to help Go developers detect vulnerable packages in their dependency trees.

As the recent PHP hijacking showed, this weakness is being exploited in the wild. The public disclosure of the steps to reproduce this bypass will likely result in copycats that will take advantage of it.

Disclosure Timeline

• 1 Nov 21 – We found a way to bypass the GitHub namespace retirement validation feature
• 8 Nov 21 – We disclose the bypass findings to GitHub
• 8 Nov 21 – GitHub acknowledged the bypass and replied that they are working on a fix
• 24 Mar 22 – GitHub respond that they have fixed the bypass
• 11 May 22 – We discover that the bypass is still exploitable (fix not working)
• 12 May 22 – We report back to GitHub that their fix is not working, and this bypass is still exploitable
• 23 May 22 – This attack was found active against open-source attack
• 25 May 22 – This technique was published publicly by the security researcher taking ownership of the attacks

To sum up

The ability to claim the name of any GitHub repository belonging to a renamed user account is a highly undesirable weakness in GitHub’s architecture and for that reason, they created a protective measure to block that specific behavior.

The fact that this protection can be bypassed and is currently used in the wild is highly concerning and has a huge effect on several popular programming languages, among other things.

Understanding the graveness of the situation, we have employed an inhouse monitoring system that actively tracks down attempts to exploit this flaw. We will work with GitHub to block these attackers until a full fix is in place.  

We urge developers to avoid this possible risk by making sure that they are not susceptible to it using our open source ChainJacking tool.

We will continue working together with teams like GitHub’s to keep the ecosystem safe for all developers and their application users.