Sophisticated Year-Long Cyber Campaign Compromises Security Researchers via GitHub

CyberSecureFox 🦊

A sophisticated cyber campaign targeting security researchers and hackers has been uncovered by Checkmarx and Datadog Security Labs, revealing a complex operation that has been active for over a year. The attack leverages GitHub’s popular platform to distribute malware through seemingly legitimate software packages.

Sophisticated Malware Distribution Through npm Package

At the heart of this campaign lies the @0xengine/xmlrpc package, hosted on npm since October 2023. What began as a legitimate XML-RPC tool evolved into a sophisticated malware through 16 updates, accumulating approximately 1,790 downloads. The package’s transformation showcases the attackers’ ability to maintain long-term persistence while evading detection by security mechanisms.

Attack Vectors and Target Acquisition Strategy

The threat actor, designated as MUT-1244 (Mysterious unattributed threat), employed a dual-pronged approach to compromise targets. The first vector involved creating 49 fake GitHub accounts distributing trojanized exploit code. The second utilized a targeted phishing campaign, reaching out to 2,758 researchers and high-performance computing system developers.

Impact Assessment and Data Compromise

The malware, disguised as the Xsession.auth service, executed bi-daily data collection operations, harvesting sensitive information including SSH keys, AWS credentials, and other confidential data. Datadog’s analysis reveals the compromise affected approximately 390,000 accounts across infected systems, representing a significant security breach in the research community.

Technical Analysis of the Attack Infrastructure

The attackers demonstrated sophisticated tradecraft in concealing malicious code. The yawpp package, marketed as a WordPress credential verification tool, utilized @0xengine/xmlrpc as a dependency, ensuring automatic malware deployment. Data exfiltration occurred through legitimate services including Dropbox and file.io, making detection particularly challenging.

This campaign represents a concerning evolution in targeted attacks against security professionals. The unusual combination of Monero cryptocurrency mining operations with targeted data collection suggests potential state-sponsored involvement or sophisticated cybercrime organizations. Security experts recommend implementing strict package verification procedures, particularly when working with proof-of-concept exploits, and maintaining robust security controls for development environments. Organizations should conduct regular security audits of their npm dependencies and implement automated security scanning tools to detect potentially compromised packages.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.