Called Colorama, the utility makes ANSI escape character sequences work on Windows and has more than 150 million monthly downloads.
To mount their supply chain attack, the hackers cloned the tool, inserted malicious code into it, and placed the malicious version on a fake mirror domain that relied on typosquatting to trick developers into mistaking it for the legitimate ‘files.pythonhosted.org’ mirror.
To spread the malware-laden package, the attackers created malicious repositories under their own accounts and hijacked high-profile accounts, including the GitHub account ‘editor-syntax’, a maintainer of the Top.gg search and discovery platform for Discord, which has a community of over 170,000 members.
Using the ‘editor-syntax’ account, the attackers contributed a malicious commit to the top-gg/python-sdk repository, adding instructions to download the malicious clone of Colorama, and starred malicious GitHub repositories to increase their visibility.
The account was likely hacked via stolen cookies, which the attackers used to bypass authentication and perform malicious activities without knowing the account’s password. Multiple members of the Top.gg community were compromised as result of this.