A sophisticated cyber attack campaign has led to the theft of over 390,000 credentials through a malicious GitHub repository masquerading as a WordPress publishing tool. Security researchers at Datadog Security Labs have identified the threat actor, dubbed MUT-1244, who targeted security researchers and penetration testers through multiple attack vectors.
The campaign utilized two primary approaches:
1. Trojanized GitHub repositories hosting fake proof-of-concept (PoC) code
2. Targeted phishing emails to academics
The main malicious repository, “github[.]com/hpc20235/yawpp,” presented itself as “Yet Another WordPress Poster” and contained a compromised npm dependency package named @0xengine/xmlrpc. This package, active from October 2023, received approximately 1,790 downloads before its removal.
The attackers deployed second-stage malware through four methods:
– Backdoored configure compilation files
– Malicious PDF payloads
– Python droppers
– Malicious npm package “0xengine/meow”
The malware’s capabilities included:
– Cryptocurrency mining
– System information theft
– SSH private key extraction
– Environment variable collection
– AWS credential theft
The campaign specifically targeted offensive security professionals, potentially to gain access to undisclosed security vulnerabilities and exploit information. This marks the first documented instance of a ClickFix-style attack targeting Linux systems.
The stolen credentials were exfiltrated to an attacker-controlled Dropbox account, compromising various threat actors who possessed these credentials through illegal means.