Hackers Get Hacked: 390,000 WordPress Accounts Stolen in Massive Supply Chain Attack

Hackers Get Hacked: 390,000 WordPress Accounts Stolen in Massive Supply Chain Attack

WordPress Credential Theft Campaign Exposes Cybersecurity Community

A sophisticated year-long campaign by threat actor MUT-1244 has successfully stolen over 390,000 WordPress credentials through a trojanized credentials checker. The operation, discovered by Datadog Security Labs, also compromised SSH private keys and AWS access keys from hundreds of victims, including security researchers, penetration testers, and other cyber actors.

Attack Methodology:
– Deployment of trojanized GitHub repositories containing malicious proof-of-concept exploits
– Phishing campaigns disguised as kernel upgrades
– Malicious payload distribution through backdoored configure files, PDF files, and npm packages

The campaign gained credibility by having repositories automatically included in legitimate sources like Feedly Threat Intelligence and Vulnmon. The attack overlaps with a previously reported supply-chain attack involving the “hpc20235/yawp” GitHub project, which utilized the “0xengine/xmlrpc” npm package for data theft and cryptocurrency mining.

Key Components:
– Cryptocurrency mining malware
– Backdoor for collecting private SSH keys, AWS credentials, and environment variables
– Second-stage payload enabling data exfiltration to Dropbox and file.io

Impact:
– Over 390,000 WordPress credentials compromised
– Hundreds of systems remain infected
– Ongoing campaign continuing to compromise new targets
– Successful exploitation of trust within the cybersecurity community

The campaign specifically targeted both legitimate security professionals and malicious actors who were seeking to verify stolen credentials, demonstrating a sophisticated approach to compromising the cybersecurity ecosystem.

Share This Article