A now-removed GitHub repository that advertised a WordPress tool to publish posts to the online content management system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials.
The malicious activity is part of a broader attack campaign undertaken by a threat actor, dubbed MUT-1244 (where MUT refers to “mysterious unattributed threat”) by Datadog Security Labs, that involves phishing and several trojanized GitHub repositories hosting proof-of-concept (PoC) code for exploiting known security flaws.
“Victims are believed to be offensive actors – including pentesters and security researchers, as well as malicious threat actors – and had sensitive data such as SSH private keys and AWS access keys exfiltrated,” researchers Christophe Tafani-Dereeper, Matt Muir, and Adrian Korn said in an analysis shared with The Hacker News.
It’s no surprise that security researchers have been an attractive target for threat actors, including nation-state groups from North Korea, as compromising their systems could yield information about possible exploits related to undisclosed security flaws they may be working on, which could then be leveraged to stage further attacks.
In recent years, there has emerged a trend where attackers attempt to capitalize on vulnerability disclosures to create GitHub repositories using phony profiles that claim to host PoCs for the flaws but actually are engineered to conduct data theft and even demand payment in exchange for the exploit.
The campaigns undertaken by MUT-1244 not only involve making use of trojanized GitHub repositories but also phishing emails, both of which act as a conduit to deliver a second-stage payload capable of dropping a cryptocurrency miner, as well as stealing system information, private SSH keys, environment variables, and contents associated with specific folders (e.g., ~/.aws) to File.io.
One such repository was “github[.]com/hpc20235/yawpp,” which claimed to be “Yet Another WordPress Poster.” Prior to its takedown by GitHub, it contained two scripts: One to validate WordPress credentials and another to create posts using the XML-RPC API.
But the tool also harbored malicious code in the form of a rogue npm dependency, a package named @0xengine/xmlrpc that deployed the same malware. It was originally published to npm in October 2023 as a JavaScript-based XML-RPC server and client for Node.js. The library is no longer available for download.
It’s worth noting that cybersecurity firm Checkmarx revealed last month that the npm package remained active for over a year, attracting about 1,790 downloads.
The yawpp GitHub project is said to have enabled the exfiltration of over 390,000 credentials, likely for WordPress accounts, to an attacker-controlled Dropbox account by compromising unrelated threat actors who had access to these credentials through illicit means.
Another method used to deliver the payload entails sending phishing emails to academics in which they are tricked into visiting links that instruct them to launch the terminal and copy-paste a shell command to perform a supposed kernel upgrade. The discovery marks the first time a ClickFix-style attack has been documented against Linux systems.
“The second initial access vector that MUT-1244 utilizes is a set of malicious GitHub users publishing fake proof-of-concepts for CVEs,” the researchers explained. “Most of them were created in October or November [2024], have no legitimate activity, and have an AI-generated profile picture.”
Some of these bogus PoC repositories were previously highlighted by Alex Kaganovich, Colgate-Palmolive’s global head of offensive security red team, in mid-October 2024. But in an interesting twist, the second-stage malware is through four different ways –
- Backdoored configure compilation file
- Malicious payload embedded in a PDF file
- Using a Python dropper
- Inclusion of a malicious npm package “0xengine/meow”
“MUT-1244 was able to compromise the system of dozens of victims, mostly red teamers, security researchers, and anyone with an interest in downloading PoC exploit code,” the researchers said. “This allowed MUT-1244 to gain access to sensitive information, including private SSH keys, AWS credentials, and command history.”