A malicious GitHub repository disguised as a WordPress tool has led to the exfiltration of over 390,000 credentials, according to a report by Datadog Security Labs. The repository, named “yawpp,” claimed to offer a utility called “Yet Another WordPress Poster” for publishing posts to WordPress websites. However, it contained hidden malicious code embedded in a rogue npm dependency, which allowed attackers to siphon sensitive information to a Dropbox account under their control. Victims include security researchers, penetration testers, and potentially malicious threat actors, highlighting the widespread impact of this campaign.
The attack, attributed to a threat actor identified as MUT-1244, involved phishing emails and trojanized GitHub repositories hosting fake Proof-of-Concept (PoC) exploits for known vulnerabilities. Victims were lured into downloading the repository or clicking on phishing links, which led to the installation of second-stage malware. This malware not only enabled cryptocurrency mining but also targeted critical data, such as SSH keys, AWS access credentials, and environment variables. The use of AI-generated profile pictures for the fake GitHub accounts further underscores the sophistication of the operation.
Datadog researchers disclosed that the malicious repository facilitated the theft of WordPress credentials from unrelated threat actors who had illicit access to them. Additionally, MUT-1244 deployed various payload delivery methods, including backdoored configuration files, Python droppers, and malicious npm packages, further complicating detection. These tactics reflect a growing trend among attackers to exploit public platforms like GitHub and npm to deliver malware under the guise of legitimate tools or code samples.
This incident underscores the critical need for cybersecurity professionals and developers to verify the authenticity of open-source repositories before downloading or using their contents. The increasing prevalence of attacks targeting researchers and offensive security practitioners demonstrates how cybercriminals exploit trust within the community to access sensitive information. Proactive measures, such as employing sandbox environments for testing and enhancing threat intelligence sharing, are essential to mitigate the risks posed by such sophisticated campaigns.
Reference:
