Pattern 38: Building an Automated Supply Chain Attack Disclosure Pipeline
- Patrick Duggan
- Nov 25, 2025
- 4 min read
Categories: Security Engineering, Threat Intelligence, Automation Tags: #Pattern38 #SupplyChainAttack #GitHub #Rhadamanthys #Automation
The Problem: Malware in Your GitHub Issues
Here's a scenario that's becoming disturbingly common:
1. You open an issue on a popular open-source project 2. A "helpful" user posts a ZIP file claiming to have a fix 3. You download it because the account is 3 years old and looks legit 4. Your credentials, crypto wallets, and browser data are now on a server in Germany
This is Pattern 38: GitHub Supply Chain Sleeper Accounts.
We identified it. We traced the C2 infrastructure. We got 4 accounts suspended. And today, we built automation to make sure it keeps happening.
The Timeline
• Discovered sleeper accounts posting malware ZIPs to GitHub issue comments
• Accounts: FireSuper, rampubg14-cmyk, anuxagfr, winchmrsmilegodsgf
• All 90-180 days dormant, then activated simultaneously
• Traced malware to C2 server: `149.102.156.62` (Contabo GmbH, Germany)
• Identified endpoint: `POST /5dc60508ab2db3b4.php`
• Confirmed malware family: Rhadamanthys/Stealc (information stealer)
• Sent 36 professional reports to [email protected]
• 4 accounts confirmed DISABLED by GitHub
• Built automated C2 blocking pipeline
• Posted warnings on 16 affected GitHub issues
• Sent 25 additional security reports with mermaid flow diagrams
The Architecture
┌─────────────────────────────────────────────────────────────────┐
│ PATTERN 38 DISCLOSURE PIPELINE │
└─────────────────────────────────────────────────────────────────┘
│
┌──────────────────────┼──────────────────────┐
▼ ▼ ▼
┌───────────────┐ ┌─────────────────┐ ┌─────────────────────┐
│ DETECTION │ │ ENRICHMENT │ │ DISCLOSURE │
│ │ │ │ │ │
│ pattern-38- │───▶│ pattern-38-c2- │───▶│ pattern-38-gh- │
│ scanner.js │ │ hunter.js │ │ warning.js │
│ │ │ │ │ │
│ • Sleepers │ │ • Download ZIP │ │ • Post comments │
│ • Cultural │ │ • Hash file │ │ • Judge Dredd card │
│ • Fork farms │ │ • Query VT │ │ • Email GitHub │
│ • Saturation │ │ • Extract C2 │ │ • Update STIX │
└───────────────┘ └─────────────────┘ └─────────────────────┘
│ │ │
└──────────────────────┼──────────────────────┘
▼
┌─────────────────────┐
│ AUTO-BLOCKING │
│ │
│ pattern-38-c2- │
│ blocker.js │
│ │
│ • Cloudflare IP │
│ • Hall of Shame │
│ • STIX feed update │
└─────────────────────┘
The Evidence Chain
Step 1: Detection
• 25 sleeper accounts (Pattern 38)
• 109 cultural signatures (Pattern 38.5 - Hamza Bendelladj tributes)
• 1 automated saturation bot (Pattern 41)
Step 2: Enrichment
We traced one hash through VirusTotal:
SHA256: 23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68
VT Detections: 18/70
Malware Family: Stealc/Rhadamanthys
The behavior report revealed the C2:
{
"contacted_ips": [
{"destination_ip": "149.102.156.62", "destination_port": 80}
],
"http_conversations": [
{"url": "http://149.102.156.62/5dc60508ab2db3b4.php", "request_method": "POST"}
]
}
Step 3: Disclosure
We posted this warning on 16 GitHub issues:
markdown
⚠️ **SECURITY ALERT** - The file(s) linked in this issue contain malware.Do NOT download: `ZIP attachments` Malware: Rhadamanthys/Stealc Stealer VT Detections: 18/70
🔗 VirusTotal: [link]
This warning brought to you by Judge Dredd @ DugganUSA.com ```
Step 4: Auto-Blocking
The C2 IP was automatically: 1. Added to Cloudflare IP list (`malicious_assholes`) 2. Recorded in Hall of Shame (Azure Table Storage) 3. Published to our STIX feed
The Numbers
| Metric | Value | |--------|-------| | Accounts reported | 61 | | Accounts suspended | 4 (so far) | | C2 IPs blocked | 1 (149.102.156.62) | | GitHub issues warned | 16 | | Security reports sent | 61 | | Time from detection to disclosure | ~48 hours | | Cost | $0 (existing infrastructure) |
Affected Repositories
High-profile open source projects that were targeted:
• Ultimaker/Cura - 3D printing software (6.4k stars)
• esphome/esphome - Home automation (8.1k stars)
• ScoopInstaller/Main - Windows package manager (1.4k stars)
• geerlingguy/internet-pi - Raspberry Pi project (4.5k stars)
• janeczku/calibre-web - eBook management (12k stars)
• EricLBuehler/mistral.rs - LLM inference (4k stars)
The attackers knew exactly which communities to target: developers who would trust a "helpful" ZIP file.
The Bulletproof Hosting Connection
We found 24 IPs in our blocked list from bulletproof hosting providers:
| ISP | Count | Countries | |-----|-------|-----------| | TECHOFF SRV LIMITED | 18 | NL, RO | | Contabo GmbH | 4 | DE, FR |
These aren't random VPS providers. TECHOFF and Contabo are known for hosting malware C2 infrastructure. When you see these ISPs in your logs, pay attention.
What's Next
The pipeline is now autonomous:
1. Daily scans detect new sleeper accounts 2. C2 hunter traces ZIPs to infrastructure 3. Auto-blocker adds IPs to Cloudflare 4. Disclosure system warns affected repos
We don't need to be awake for this to work. Judge Dredd never sleeps.
The Lesson
Supply chain attacks aren't sophisticated. They're patient.
A 3-year-old account that's been dormant for 6 months posts a "helpful" ZIP. You trust it because of the age. That's the entire attack.
The defense isn't complicated either: 1. Don't download ZIPs from issue comments 2. Check VirusTotal before running anything 3. Subscribe to threat intel feeds (like ours: https://analytics.dugganusa.com/api/v1/stix-feed)
Or just wait for Judge Dredd to post a warning. We're watching.
Resources
• STIX Feed: https://analytics.dugganusa.com/api/v1/stix-feed
• VirusTotal Report: https://www.virustotal.com/gui/file/23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68
• Our Detection Scripts: Open source at github.com/pduggusa/enterprise-extraction-platform
*"I am the Law. Your supply chain attack days are numbered."* - Judge Dredd
Patrick Duggan DugganUSA LLC [email protected]
Comments