top-gg - isotope¹³

Incident Summary

Top.gg Python SDK Supply Chain Attack

Attackers hijacked the GitHub account of a Top.gg maintainer using stolen browser cookies to bypass MFA. They modified the repository's requirements.txt to point to a poisoned version of the Colorama package hosted on a typosquatted domain (files.pypihosted.org). The malware stole credentials, discord tokens, and cryptocurrency data.

Date: 2024-03-01 to 2024-03-31
Category: Open Source
Target Surface: Revision control
Insertion Phase: source
Impact: Credential theft
Cause: Compromised Account/Credentials

What Was Affected

Package top-gg

LanguagePython

ComponentLibrary

Artifact typedependency file

Domain typerepository

Domain github.com

Repository github.com/top-gg/python-sdk

Incident Context

Motive: Credential Theft
Attribution: Third Party
Transitive: Yes
User Impact: 170000
Observed Duration: 30 days

External References

checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure

Source Data

Source record: oss/top-gg/meta.yaml