TL;DR
- Over 390,000 credentials were stolen in a year-long WordPress supply chain attack by MUT-1244.
- The attackers used spearphishing emails and trojanized GitHub repositories to deliver malware.
- Malware enabled data theft, including WordPress credentials, SSH keys, and AWS tokens, using fake tools like yawpp.
- Hundreds of systems remain compromised, with the attack exposing trust gaps in shared cybersecurity tools.
A year-long WordPress supply chain attack has led to the theft of over 390,000 credentials.
The threat actor, tracked as MUT-1244, used a trojanized WordPress credentials checker to target other malicious actors, along with legitimate cybersecurity researchers and penetration testers.
According to Datadog Security Labs, the campaign also stole private SSH keys and AWS access tokens from hundreds of compromised systems.
This large-scale attack combined phishing campaigns with malicious GitHub repositories to deliver the same malware payload.
Two Attack Vectors
The attackers used two main delivery methods to infect victims:
- Spearphishing Emails: These emails targeted academics and tricked victims into running malicious code. The messages posed as CPU kernel upgrade notifications, leading victims to unknowingly install the malware.
- Trojanized GitHub Repositories: The threat actor created fake GitHub repositories mimicking legitimate proof-of-concept (PoC) exploits for known vulnerabilities. Security researchers or malicious actors downloaded and executed these fake PoC exploits, which incorporated malicious libraries.
Matt Bromiley, Lead Solution Engineer at LimaCharlie, explained:
“The two mechanisms were spearphishing and trojanized GitHub repositories. Regardless of the method, the same second-stage payload was dropped, a backdoor that exfiltrated system details, credentials, and more.”
The attackers named 49 fake repositories strategically to appear legitimate, increasing their chances of being downloaded.
Some of these repos were automatically included in trusted intelligence feeds like Feedly Threat Intelligence or Vulnmon, boosting their credibility.
The malicious payloads dropped by the attackers included backdoored configuration files, Python droppers, PDF files, and compromised npm packages.
The backdoor enabled exfiltration of sensitive data, including:
- WordPress credentials
- SSH private keys
- AWS environment variables and access tokens
Data was then sent to file-sharing services like Dropbox and file.io. Researchers found hardcoded credentials for these platforms within the malware, enabling easy access for attackers to exfiltrate data.
Also Read: Abuse of trusted applications grows by 51%, finds Sophos report
MUT-1244 compromised the systems of white hat and black hat hackers by exploiting trust in shared cybersecurity tools.
A trojanized tool, yawpp, advertised as a WordPress credentials checker, was central to this attack. Hackers likely used the tool to validate stolen credentials, not realizing it contained malware.
Datadog researchers highlighted:
“Before these credentials were exfiltrated to Dropbox, they were in the hands of offensive actors, who likely acquired them through illicit means.”
The attackers leveraged tools widely used in underground hacking forums, validating stolen credentials while delivering their second-stage payload.
As a result, both attackers and researchers fell victim to the malware.
What is a Supply Chain Attack?
A supply chain attack involves exploiting trusted components, tools, or processes within a system to deliver malicious code.
Instead of targeting a system directly, attackers compromise third-party software, libraries, or services that organizations rely on.
This method increases the reach and impact of the attack, as it can spread to multiple systems through legitimate channels.
In this case, the attackers introduced malicious libraries into GitHub repositories and tools, allowing the malware to bypass initial suspicion.
Ongoing Impact
The scale of this supply chain attack highlights its impact on trust within the cybersecurity community.
Hundreds of systems remain compromised, with new infections continuing as part of the campaign.
The attack serves as a warning to security professionals and researchers to scrutinize tools and proof-of-concept exploits, even when sourced from seemingly legitimate platforms.
