The developers of the free content management system Plone, written in Python and JavaScript/NodeJS, have recently announced an incident where malicious code was added to the project’s git repository on GitHub. Initially, three changes were identified in the repository that appeared on January 7 (1, 2, 3), adding malicious code to the project’s JavaScript files (1, 2, 3). The analysis revealed that the integration of malicious code occurred due to the compromise of a developer’s account, which allowed attackers to add the code after obtaining the developer’s access token through malware.
On January 14, the compromised account was blocked, and the project developers have advised analyzing commits from January 1 to January 14. Later, on January 27, it was discovered that the attack was more extensive than initially thought, affecting five project repositories (plone/volto, plone/mockup, plone/plone.app.mosaic, plone/critical-css-cli, plone/plonetheme.barceloneta), in which malicious code had been quietly integrated. In the case of the repository plone.app.mosaic, the attackers managed to spoof the master branch. The attack took place two months after the developer’s access token was captured.
Instead of regular commits, the attackers utilized a “force push