CP
cyberpings
Malware & RansomwareHIGH

Malware - ForceMemo Compromises Python Repositories on GitHub

SWSecurityWeek
GlassWormForceMemoGitHubPythonmalware injection
🎯

Basically, hackers used stolen passwords to break into GitHub accounts and add harmful code to projects.

Quick Summary

In a troubling development, hundreds of GitHub accounts have been compromised due to the ForceMemo campaign. This attack injects malware into Python repositories, risking sensitive data theft. Developers are urged to strengthen their security measures to prevent further breaches.

What Happened

A recent wave of attacks has seen threat actors exploiting stolen credentials from the GlassWorm malware campaign to compromise hundreds of GitHub accounts. This new campaign, dubbed ForceMemo, began on March 8, targeting various Python projects, including Django applications, machine learning code, and PyPI packages. The attackers are injecting malicious code into repositories, aiming to steal cryptocurrency and sensitive information from developers.

The method used in the ForceMemo campaign is particularly insidious. By rebasing legitimate commits on the default branch and adding obfuscated malicious code, the attackers can manipulate repositories without raising immediate suspicion. The commit message and author date remain unchanged, making it difficult for developers to detect the compromise.

Who's Being Targeted

The ForceMemo campaign has primarily targeted developers working on Python projects across GitHub. This includes a wide range of repositories, from simple applications to complex machine learning frameworks. The use of compromised developer credentials means that any account with multiple repositories is at risk, as the malware injection affects all associated projects.

The attackers are particularly focused on developers who may have access to cryptocurrency, as the injected code is designed to query a specific Solana blockchain address for transaction instructions. This indicates a clear intent to siphon off cryptocurrency assets, highlighting the financial motivations behind the attack.

Signs of Infection

Developers should be vigilant for signs of infection, particularly if they notice unexpected changes in their repositories. Key indicators include:

  • Unexplained commits that appear in the repository without a clear author.
  • Changes in commit dates that do not align with the developer's activity.
  • Any unusual behavior from applications that rely on the compromised repositories.

The injected malware performs system checks and avoids machines with Russian language settings, suggesting a targeted approach by Eastern European cybercriminals. This level of specificity points to a well-planned operation, increasing the urgency for developers to secure their accounts.

How to Protect Yourself

To safeguard against such attacks, developers should take immediate action:

  • Enable two-factor authentication (2FA) on GitHub accounts to add an extra layer of security.
  • Regularly audit repositories for unauthorized changes or suspicious commits.
  • Use strong, unique passwords and consider employing a password manager to manage credentials securely.

Additionally, developers should stay informed about ongoing threats and be cautious of any suspicious activity in their accounts. By implementing these protective measures, developers can reduce the risk of falling victim to similar attacks in the future.

🔒 Pro insight: The ForceMemo campaign highlights the evolving tactics of threat actors, leveraging stolen credentials to execute sophisticated malware injections across multiple repositories.

Original article from

SecurityWeek · Ionut Arghire

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Malware - ClickFix Campaigns Distribute MacSync Infostealer

Three ClickFix campaigns are spreading the MacSync infostealer through fake AI tool installers. Targeting macOS users, these campaigns exploit social engineering tactics to steal sensitive data. Stay vigilant and protect your devices from these evolving threats.

The Hacker News·
HIGHMalware & Ransomware

GlassWorm Malware - New Phase of Supply-Chain Attack

Hackers are hijacking Open VSX extensions to spread GlassWorm malware through dependency abuse. Developers are at risk from seemingly innocent tools that install malicious payloads. It's crucial to monitor and audit your extensions to stay safe from this evolving threat.

CSO Online·
HIGHMalware & Ransomware

Warlock Ransomware - Dissecting New Attack Techniques

Warlock ransomware has upgraded its attack strategies, targeting tech and government sectors. Their new tactics enhance persistence and evasion, posing significant risks to data security.

Trend Micro Research·
HIGHMalware & Ransomware

GoPix - Advanced Banking Trojan Exploits Memory Techniques

GoPix is a new banking Trojan targeting Brazilian users, using advanced memory techniques to steal sensitive data. It exploits trust in popular services to spread. Users must stay vigilant against these sophisticated attacks to protect their finances.

Kaspersky Securelist·
HIGHMalware & Ransomware

Steam Malware - FBI Seeks Help to Track Campaign Victims

The FBI is investigating a malware campaign on Steam. Gamers are urged to report any infections. This effort aims to identify the threat actor and protect users from further harm.

Infosecurity Magazine·
HIGHMalware & Ransomware

Ransomware - Shift Towards Data Extortion Explained

Ransomware tactics are evolving towards data extortion, impacting many sectors. Google’s report highlights a significant rise in this trend, emphasizing the need for enhanced cybersecurity measures.

CyberScoop·