Top.GG, a popular service that assists users in finding servers and bots for Discord, recently fell victim to a supply chain attack. Attackers successfully injected malicious code into Python packages utilized by bot developers with the goal of stealing confidential data. Checkmarx specialists detailed the attack in a technical report, revealing the extent of the breach. (source)
The attack unfolded in two main directions: Firstly, the attackers began uploading malicious packages to Pypi in November 2022, disguising them as popular tools with enticing descriptions. These fake packages mirrored legitimate ones, such as Colorama, and lured unsuspecting users into installing infected versions. Secondly, hackers compromised the administrator of Top.GG in March 2024, gaining access to the platform’s repositories on Github. They then added malicious commits to the python-sdk repository on Top.GG, further spreading the malicious code. (source)
The malicious code exhibited a broad spectrum of data theft capabilities, ranging from browser data and Discord tokens to cryptocurrency wallets and Telegram session information. It could also steal user files, Instagram data, and passwords through keylogging. The stolen data was sent back to the attackers’ servers via HTTP requests with unique identifiers and anonymous file hosting services such as gofile and anonfiles.
Although the exact number of affected users remains undisclosed, this attack serves as a stark reminder of the critical importance of verifying the security of software components utilized in development.