The hacker group MUT-1244 has conducted a year-long campaign, stealing 390,000 WordPress login credentials along with many other sensitive data by using trojanized GitHub repositories to spread malware.
These repositories were embedded with malicious code to steal WordPress credentials along with SSH keys and AWS access from victims, including security researchers, red team members, testers, and white-hat hackers.
The trojanized repositories were advertised as legitimate resources, even being automatically integrated into trusted sources like Feedly Threat Intelligence and Vulnmon. However, inside them were malicious payloads. Victims were tricked into installing malware through phishing emails masquerading as CPU kernel upgrade notifications, leading to their systems being compromised.
Part of this hacker group’s strategy is to use a tool called Yawpp, promoted as a WordPress credential checker. In reality, this is a tool for exploiting and verifying stolen accounts, which are often bought and sold on the dark web.
The stolen data includes SSH keys, AWS access information, and command history on the systems. All of this is automatically uploaded to file-sharing platforms like Dropbox and file.io through a second payload encrypted with available access information.
Even more concerning, these attacks are still ongoing, with hundreds of systems still compromised, indicating that the danger level of this campaign shows no signs of abating. Important data such as SSH keys, AWS tokens, and WordPress login credentials remain exposed, increasing the risk of subsequent attacks.
