Emergent AI-Enabled Supply Chain Exploitation: PyStoreRAT Targets Open-Source
A new malware campaign is abusing open-source trust to land in developer machines and CI pipelines. Morphisec Threat Labs reports attackers are using AI-polished GitHub repositories as delivery vehicles for a stealthy backdoor called PyStoreRAT. The loader hides in dependency trees and update scripts, blends into build steps, and adapts its behavior to slip past enterprise defenses.
This isn't a noisy smash-and-grab. It's a patient, iterative approach that uses social proof (stars, forks, clean docs) to earn trust, and then ships malicious updates once adoption grows.
How the attack works
Threat actors reactivated dormant GitHub accounts and pushed projects that look authentic: clean README files, dependency references, contribution logs, and AI-assisted code that passes a quick glance. As repos gained traction, small "maintenance" updates introduced a hidden PyStoreRAT loader in install hooks and build scripts.
After execution, PyStoreRAT profiles the system: OS details, environment variables, IDE configs, installed tools. It then stages modules based on what it finds-C2 beacons, credential harvesters, and file manipulation routines.
Evasion and command infrastructure
PyStoreRAT adjusts its execution when it sees EDR processes like CrowdStrike Falcon, switching to fallback handlers and stretching out communication intervals to reduce behavioral flags. The command layer rotates through GitHub-hosted nodes and disposable domains.
Encrypted task data hides in issues, commits, or Gists, making takedowns harder and traffic quieter. Code comments and build metadata suggest a Russian-speaking link, but attribution remains under investigation.
Why this matters to dev and IT teams
Developers trust open-source signals by default. CI/CD pipelines automate that trust at scale. That combination turns dependency updates, install scripts, and post-install hooks into ideal entry points for persistent access.
What to do now
- Freeze and verify dependencies: Pin versions. Use hash pinning (e.g., requirements with hashes, lockfiles). Don't auto-merge dependency bumps; require review, testing, and provenance checks.
- Validate repo provenance: Check account age/activity, contributor history, release cadence, and stars/forks growth. Prefer organizations with signed releases and transparent governance. Require 2FA for org members.
- Scan before build and at install: Run source, SBOM, and dependency scans as a pre-build gate. Add a step that inspects setup.py/postinstall hooks for network calls, shell spawns, or obfuscated blobs.
- Adopt signed artifacts and provenance: Enforce artifact signing and build attestations across services and libraries. Use Sigstore/Cosign for signatures and SLSA for provenance and build integrity.
- Harden CI/CD: Use ephemeral runners, least-privilege tokens, and strict egress policies. Block CI runners from posting to Gists or creating issues. Lock webhooks, enforce branch protection, and use CODEOWNERS with mandatory reviews.
- Detect GitHub-as-C2 behaviors: Alert on unusual CI or developer workstation traffic to api.github.com for issues/Gists outside normal workflows. Watch for Python processes spawning shells or making outbound connections after installs.
- EDR tuning: Create rules for delayed beacons, long sleep intervals, and staged Python loaders. Correlate install/build phases with network activity to off-domain endpoints.
- Secrets hygiene: Keep tokens out of environment variables and build logs. Rotate frequently, use short-lived, fine-grained credentials, and store secrets in a vault with workload identity.
- Incident response: Pull Morphisec's IOCs and YARA rules and search endpoints, containers, and CI artifacts. Quarantine affected systems, rotate credentials, and reimage where persistence is suspected.
Indicators and patterns worth reviewing
- New or "revived" repos that quickly gain stars/forks paired with frequent small updates.
- Dependency updates that add install scripts, setup hooks, or postinstall steps that fetch remote content.
- Obfuscated strings (base64, XOR), indirect imports, or runtime code eval in packaging scripts.
- Build logs showing network calls during install that reach GitHub issues/Gists or unusual domains.
- Processes reading IDE configs, SSH keys, or cloud credentials shortly after dependency installation.
Team policies that lower risk
- Mandatory 2FA, commit signing, and verified publishers for dependencies you adopt.
- A "trust-but-verify" playbook: provenance checks, code review on transitive pulls, and SBOM diffing on every bump.
- A kill-switch for dependency auto-updates across all package managers and base images.
- Security office hours with dev leads to review new third-party components before production use.
Authoritative resources
SLSA: Supply-chain Levels for Software Artifacts
Sigstore Cosign: Container and artifact signing
Bottom line: treat every dependency update and install hook as untrusted code. Tighten provenance, enforce signing, block risky egress in CI, and monitor for GitHub-abuse patterns. Trust is earned, not assumed.
Your membership also unlocks:
