The trojan deployed on the system has a wide range of data theft capabilities. It searches for specific directories inside the Opera, Chrome, Brave, Vivaldi, Yandex and Edge browsers and extracts authentication cookies, autofill information, browsing history, bookmarks, credit card information and login credentials.

The trojan also attempts to steal files associated with cryptocurrency wallets, Discord tokens that can provide access to Discord accounts, Telegram session tokens, computer files with specific keywords in their names, Instagram account details. The malware also has a keylogger component that captures the victim’s keystrokes and uploads them to the command-and-control server.

It’s safe to assume that if any of the stolen credentials or access tokens provide attackers with access to GitHub accounts with commit privileges to different repositories, they will try to abuse those privileges to further distribute their trojan. Unfortunately, these compromises might not be easy to spot.

The Checkmarx researchers point out that when they added their rogue Coloroma package to a project’s requirements.txt file, the commits also included legitimate code contributions and changes. In fact, their rogue repositories hosted copies of legitimate and functional projects.

In fact, after the pypihosted.org domain was reported and taken down, one user opened a bug ticket on one of the rogue repositories to report that he was getting an error related to pypihosted.org being down when trying to install it. This shows how convincing these attacks can be and the snowball effect they can have on the ecosystem, especially if developers from legitimate projects have their accounts hijacked as a result.