390,000+ WordPress Accounts Compromised in New GitHub Scam

Hackers have stolen over 390,000 WordPress credentials by exploiting a malicious GitHub repository posing as a tool for publishing posts. The repository, which has since been removed, was part of a larger cyberattack campaign targeting security researchers and threat actors alike. This breach exposed sensitive data, including SSH private keys and cloud access credentials, to the attackers.

How the Attack Unfolded

The malicious campaign, attributed to a threat actor known as MUT-1244 (short for “mysterious unattributed threat”), relied on phishing and trojanized GitHub repositories. The attackers used these fake repositories to host proof-of-concept (PoC) code for known vulnerabilities. Consequently, victims downloaded the code, unknowingly executing malware that stole sensitive information.

Cybersecurity researchers revealed that the stolen data included SSH private keys, AWS credentials, and environment variables. The attack particularly targeted offensive security professionals, such as penetration testers and researchers, who often work with sensitive information. As a result, the attackers gained valuable data for further exploitation.

Fake PoC Repositories as a Conduit

MUT-1244’s operation reflects a broader trend where attackers use GitHub repositories as bait. These repositories claim to host PoC exploits for vulnerabilities but instead deliver malware. For example, one such repository, “yawpp,” advertised a WordPress tool for automated publishing. It included scripts to validate credentials and create posts, but it also contained a rogue npm dependency that deployed malware.

This malware enabled attackers to exfiltrate data to Dropbox accounts they controlled. As a result, cybersecurity reports estimate over 390,000 WordPress credentials were stolen using this method. Furthermore, researchers noted that phishing emails lured victims into downloading malicious files, which further spread the attack.

Phishing Emails and Linux Targeting

In addition to GitHub repositories, the attackers used phishing emails to target academics. These emails tricked recipients into running shell commands to perform fake kernel updates. Therefore, this attack marks the first recorded ClickFix-style exploit against Linux systems.

Researchers identified four delivery methods for the malware:

  • Backdoored configuration files
  • Malicious PDFs
  • Python-based droppers
  • Npm packages embedded with malware

As a result, these techniques allowed MUT-1244 to compromise dozens of systems, gaining access to private credentials, command histories, and critical system information.

Preventing Future Attacks

To avoid falling victim to such schemes, it is crucial to scrutinize GitHub repositories and avoid downloading unverified PoC code. Moreover, be cautious of unsolicited emails, particularly those that urge you to execute terminal commands or download files. Use trusted sources for software tools, and always verify the legitimacy of packages or scripts. Additionally, enabling multi-factor authentication and monitoring account activity can further protect your credentials.

By staying alert and employing robust security measures, individuals and organizations can minimize the risks of data theft and system compromise in an increasingly sophisticated threat landscape.

Leave a Comment

Your email address will not be published. Required fields are marked *