Telegram, AWS, and Alibaba Cloud Users Targeted in latest supply chain attack

A new supply-chain attack, which was active throughout September 2023, has been discovered in which threat actors used Typosquatting and Startjacking techniques to lure developers using Alibaba cloud services, AWS, and Telegram into downloading malicious Pypi packages.

The threat actors, who had the name “kohlersbtuh15” uploaded a series of malicious packages into the open-source package manager Pypi in an attempt to perform a supply-chain attack on targeted victims, reads Checkmarx report.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Technical Analysis

Typosquatting is the technique in which a threat actor utilizes the human error of mistyping an installation command by publishing a similar package with the mistyped name. Additionally, if a developer searches for a box by mistyping the package name, they end up on the website of the malicious package.

Starjacking is a method in which a package hosted on a package manager is linked to a different unrelated package’s repository on GitHub. Both of these techniques are combined together to maximize the reach.

Instead of using traditional scripts that auto-execute during setup, the threat actor embedded malicious scripts deep within the package, within specific functions. This technique prevents malicious scripts from being detected by security tools that scan for executable scripts.

Malicious packages

The threat actor mimicked a popular package, “Telethon” with over 69 million downloads named “Telethon2”. However, as part of the Starjacking attack, this package is linked with the Official GitHub repository of the “telethon” package. 

Telethon package mimicked
Telethon package mimicked (Source: Checkmarx)

This package had the exact source code copied from the Official package except for two malicious lines of code in the “telethon/client/messages.py” file. This code only gets executed when the “send message” function is called on the telethon package.

Another spoofed package was the “enumerate-iam” which did not have a python package. The threat actor created a new malicious Python package with the same name as the repository.

This package also had a few lines of malicious code that attempted to steal sensitive credentials when executed.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.