Full Report
A now-removed GitHub repository that advertised a WordPress tool to publish posts to the online content management system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials. The malicious activity is part of a broader attack campaign undertaken by a threat actor, dubbed MUT-1244 (where MUT refers to "mysterious unattributed threat") by Datadog Security Labs, that
Analysis Summary
# Incident Report: MUT-1244 Campaign Targeting Security Researchers via Trojanized Tools
## Executive Summary
A threat actor, dubbed MUT-1244, executed a broad campaign targeting offensive security actors, researchers, and pentesters using trojanized GitHub repositories promoting Proof-of-Concept (PoC) exploit code. The primary technique involved embedding malicious payloads, including a rogue npm dependency, within seemingly legitimate WordPress tools, leading to the exfiltration of sensitive credentials like SSH keys and AWS access keys. The campaign resulted in the compromise of dozens of victims and the estimated exfiltration of over 390,000 credentials, highlighting a growing trend of weaponizing legitimate security research artifacts.
## Incident Details
- Discovery Date: Mid-October 2024 (Multiple related repositories highlighted) / Subsequent analysis by Datadot Security Labs
- Incident Date: Campaign activity noted around October/November 2024 related to PoC repository creation.
- Affected Organization: Undisclosed victims, primarily offensive security actors, pentesters, and security researchers.
- Sector: Technology, Cybersecurity Research.
- Geography: Unknown (Targets appear generally distributed via the internet).
## Timeline of Events
### Initial Access
- Date/Time: Activity noted starting around October/November 2024 for PoC repositories.
- Vector: Trojanized GitHub repositories advertising PoC code; Phishing emails.
- Details:
* **Repository Method:** Threat actors published repositories (e.g., `github[.]com/hpc20235/yawpp`) claiming to offer WordPress tools or PoC exploits linked to recent CVEs. These often used AI-generated profile pictures and had negligible legitimate activity.
* **Phishing Method:** Emails directed academics to launch terminal commands to perform a fake kernel upgrade (ClickFix-style attack targeting Linux).
### Lateral Movement
- Details: The initial payload, delivered via repository download or command execution, was capable of dropping a second-stage payload. This payload successfully harvested system information, SSH keys, environment variables (e.g., from ~/.aws folders), and command history on compromised systems.
### Data Exfiltration/Impact
- Data Compromised: Private SSH keys, AWS access keys, environment variables, system information, and an estimated 390,000 credentials (likely WordPress due to the initial tool examined).
- Exfiltration Method: Data was sent to specific destinations, including File.io and an attacker-controlled Dropbox account.
### Detection & Response
- Detection: Datadot Security Labs analyzed associated malicious activity, leading to the discovery of the coordinated nature of the campaign (MUT-1244). GitHub eventually took down malicious repositories like "yawpp."
- Response Actions: Not explicitly detailed, but involved the takedown of the advertised GitHub repository.
## Attack Methodology
- Initial Access: Trojanized GitHub Repositories (fake PoCs); Phishing emails involving copy-pasting terminal commands (ClickFix style).
- Persistence: Not explicitly detailed, but the second-stage malware deployment suggests establishing persistence was a goal.
- Privilege Escalation: Not explicitly detailed, but the mining of credentials and keys suggests privilege acquisition was successful post-compromise.
- Defense Evasion: Use of legitimate platforms (GitHub, npm) to host seemingly beneficial code (PoCs/Tools).
- Credential Access: Directly stealing SSH private keys and AWS access keys from user folders (`~/.aws`). Exfiltrated numerous WordPress credentials (estimated 390k).
- Discovery: Harvesting of command history and environment variables to map the victim's environment.
- Lateral Movement: Attack delivery methods (e.g., npm dependency chain) facilitated initial spread/payload execution.
- Collection: System information, environment variables, specific directory contents (SSH keys, AWS keys).
- Exfiltration: Uploading stolen data to File.io and Dropbox.
- Impact: Cryptocurrency mining (secondary payload observed); Major sensitive credential theft.
## Impact Assessment
- Financial: Unknown, but significant due to the theft of high-value credentials (AWS keys) and the implied cost of incident response for victims.
- Data Breach: Over 390,000 credentials (likely WordPress); Private SSH keys; AWS access keys; System configuration data.
- Operational: Potential disruption on victim machines due to cryptocurrency mining.
- Reputational: Minimal public impact reported, as victims were security professionals who may handle compromise internally.
## Indicators of Compromise
- Network Indicators (Defanged): Traffic to File.io for exfiltration; Communication related to cryptocurrency mining C2 (if active).
- File Indicators: Rogue npm dependency package: `@0xengine/xmlrpc` and `0xengine/meow`; Malicious scripts within the PoC repository.
- Behavioral Indicators: Execution of clipboard/pasted shell commands from unknown sources; Presence of unauthorized miners; Unusual outflow of credential files (e.g., SSH keys) to non-standard cloud storage providers.
## Response Actions
- Containment: Takedown of the malicious GitHub repository (`github[.]com/hpc20235/yawpp`) by GitHub. Removal of the malicious npm package.
- Eradication: Notification to victims believed to be affected by similar PoC repositories to scan systems for second-stage malware, miners, and remove compromised credentials (SSH/AWS).
- Recovery: Victims required rotating all compromised SSH private keys and AWS access keys immediately.
## Lessons Learned
- Credential theft via weaponizing utility software (WordPress tools) and PoC exploit code is an effective social engineering vector against skilled users.
- The use of dependency confusion/malicious npm packages embedded within seemingly helpful code significantly expands the reach of the initial infection vector.
- Threat actors are actively targeting security researchers, recognizing that compromising them yields access to potentially zero-day related information or high-value assets (keys).
## Recommendations
- Security researchers and pentesters must rigorously vet any PoC code or third-party tools downloaded from public repositories, especially if they require execution or dependency installation.
- Implement strict egress filtering and monitoring, specifically watching for data uploads to ephemeral file hosting services like File.io.
- Organizations should enforce MFA on all critical accounts (e.g., AWS) and use credential management solutions rather than storing raw SSH private keys or access keys in environment variables or easily accessible configuration files.
- Improve telemetry on Linux systems to detect command-and-control style execution initiated via seemingly benign updates or utility installations (ClickFix-style defense).