Researchers at Datadog Security Labs discovered a threat actor labelled as MUT-1244 has stolen more than 390,000 WordPress credentials. The theft occurred after a year-long large-scale campaign, targeting pentesters, security researchers, and even other malicious actors. 

Security leaders weigh in 

Casey Ellis, Founder and Advisor at Bugcrowd:

Targeting red-teamers and security researchers through fake POCs is a troll technique as old as security research itself. However, as this attack demonstrates, it can also be an effective approach to watering-hole attacks. This is a good reminder for those who provide offensive security services that they themselves are part of an exploitable supply-chain, and that malicious attackers know this.

Jason Soroko, Senior Fellow at Sectigo:

Attackers set up dozens of GitHub repositories with fake proof-of-concept exploits. Victims who were security pros, red teamers and threat actors unknowingly installed malicious second-stage payloads that stole credentials and keys. Simultaneously, a phishing campaign tricked targets into installing a fake kernel update.

These trojanized repos looked legitimate, often appearing in trusted threat intelligence feeds. By downloading and running this code, victims essentially infected themselves.

This supply chain attack compromised the normal software acquisition process. Instead of attacking targets directly, the attackers poisoned the sources victims relied on to obtain tools and exploits.

Stephen Kowski, Field CTO at SlashNext Email Security+:

The attack used multiple methods to compromise victims. Trojanized GitHub repositories containing malicious code posed as legitimate proof-of-concept exploits, luring security professionals to download and run them. A phishing campaign also tricked targets into installing malware disguised as a CPU update, widening the attack surface.

This attack targeted the software development pipeline by corrupting widely-used libraries and tools. The malicious code could spread to numerous downstream applications and systems once installed. The use of popular code-sharing platforms like GitHub as an attack vector shows the critical need for robust verification processes and real-time threat detection in development workflows.

This campaign highlights why teams must examine all code, even from trusted sources. Advanced threat detection tools that spot malicious code patterns and suspicious behaviors in real-time help reduce these risks. Organizations benefit from automated security scanning solutions that analyze dependencies and identify potential threats before they spread through the software supply chain.