Top.gg Python SDK stole credentials

The Top.gg attack used source control as the first distribution step. Attackers hijacked a maintainer's GitHub account with stolen browser cookies, bypassing MFA, and committed a change to the official python-sdk repository. The change looked like dependency plumbing: requirements.txt pointed at a Colorama package on a fake Python-hosting domain.

That small dependency edit routed installers away from the real package path. Checkmarx reported the fake infrastructure used files.pypihosted.org, a domain chosen to resemble legitimate PyPI file hosting. Users installing from the official Top.gg repository could therefore receive malware through the dependency resolver.

The malware focused on developer and Discord credentials, browser data, and cryptocurrency material. Checkmarx estimated more than 170,000 users were affected by the wider campaign using fake Python infrastructure. This record keeps the Top.gg SDK scope separate because the compromised source repository and dependency-file edit are specific and verifiable.

The incident is a useful example of source-level dependency steering. The attacker did not have to publish a malicious Top.gg package; changing one requirements file inside the trusted repository was enough to make normal installation follow a hostile package URL.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

Third Party

User Impact

170000

• Over 170K Users Affected by Attack Using Fake Python Infrastructurecheckmarx.com