A malicious GitHub repository, now removed, has been found responsible for stealing over 390,000 WordPress credentials. The repository, masquerading as a legitimate WordPress tool to publish posts on the content management system (CMS), served as a front for an elaborate credential theft campaign.
The Attack Campaign: MUT-1244
The malicious activity was attributed to a threat actor dubbed MUT-1244 (short for "Mysterious Unattributed Threat") by Datadog Security Labs. The campaign relied on phishing attacks and trojanized GitHub repositories that hosted fake Proof-of-Concept (PoC) exploits for known security vulnerabilities.
According to researchers Christophe Tafani-Dereeper, Matt Muir, and Adrian Korn:
“Victims are believed to include offensive actors such as pentesters, security researchers, and even malicious threat actors. The campaign resulted in the exfiltration of sensitive data like SSH private keys, AWS access keys, and other critical system information.”
Why Security Researchers Are a Prime Target
Security researchers remain an attractive target for cybercriminals and nation-state actors. By compromising their systems, threat actors can gain access to undisclosed vulnerabilities and exploits under development, which can be weaponized for further attacks.
This attack underscores a growing trend where adversaries exploit the release of new vulnerabilities to create malicious GitHub repositories. These repositories, often created using fake profiles, claim to host legitimate PoCs but are instead engineered to:
Steal sensitive data
Deploy malware
Demand payment in exchange for exploit access
Malicious Payload and Methods
The MUT-1244 campaign employed both phishing emails and weaponized GitHub repositories as initial attack vectors. The malicious payload enabled attackers to:
Steal private SSH keys
Exfiltrate AWS environment variables
Collect system data and folder contents (e.g.,
~/.aws)Deliver cryptocurrency miners
The "Yawpp" Repository
One key repository was "github[.]com/hpc20235/yawpp", presented as Yet Another WordPress Poster. Prior to its takedown, it featured two scripts:
Credential Validation: Confirmed WordPress credentials.
Post Publishing: Used WordPress's XML-RPC API to create posts.
However, hidden within this tool was malicious code embedded in a rogue npm dependency named @0xengine/xmlrpc. Originally published in October 2023 as a JavaScript-based XML-RPC server for Node.js, the package served as a backdoor. Cybersecurity firm Checkmarx revealed that the malicious npm package had been active for over a year, accumulating around 1,790 downloads before being removed.
The yawpp repository facilitated the exfiltration of over 390,000 WordPress credentials to a Dropbox account controlled by the attackers. Notably, many of these credentials were likely accessed by compromising unrelated threat actors who possessed them illicitly.
Phishing Attacks and ClickFix-Style Exploits
MUT-1244 also leveraged phishing emails targeting academics. These emails tricked recipients into running shell commands under the guise of performing a kernel upgrade, marking the first documented ClickFix-style attack against Linux systems.
Bogus PoC Exploits on GitHub
Another component of the campaign involved fake PoC repositories. These repositories, often created in October and November 2024, featured AI-generated profile pictures and had no legitimate activity. These bogus exploits delivered second-stage malware through multiple methods:
Backdoored
configurecompilation filesPDF files embedded with malicious payloads
Python-based droppers
Malicious npm packages like "0xengine/meow"
The Impact
MUT-1244’s campaign successfully compromised dozens of victims, including security researchers, red teamers, and individuals downloading PoC exploit code. The stolen data included:
Private SSH keys
AWS credentials
Command history logs
Researchers concluded:
“MUT-1244 was able to gain access to highly sensitive information, highlighting the need for increased vigilance when dealing with PoC exploits shared on platforms like GitHub.”
Key Takeaways
Be cautious when downloading PoC exploit code from GitHub.
Verify the legitimacy of repositories and their creators.
Avoid running untrusted scripts or commands from emails or public repositories.
Monitor for unusual activity on your systems, including exfiltration attempts.
This incident serves as a stark reminder that attackers continue to exploit the trust within the security research community to infiltrate systems and steal sensitive information.