Chinese state-backed threat actors breached the US Treasury Department by compromising a BeyondTrust API key — gaining remote access to Treasury workstations and unclassified documents through the vendor’s privileged remote access infrastructure. HN51 also covers 3.1 million fake GitHub stars identified across 278,000 bot accounts, used to artificially inflate the apparent popularity of malware distribution repositories.
Stories Covered
Chinese Hackers Breach US Treasury via BeyondTrust Vendor Compromise
The US Treasury Department notified Congress that Chinese state-backed threat actors accessed its systems in December 2024 through a compromised API key belonging to BeyondTrust — a third-party vendor whose privileged remote access tools are used by over 20,000 customers across 100 countries, including 75% of Fortune 100 organizations. The attackers stole the key and used it to override BeyondTrust’s cloud security layer, gaining remote access to Treasury departmental workstations and the unclassified documents stored on them. BeyondTrust was alerted on December 5th, revoked the key immediately, and notified the Treasury on December 8th. The FBI and CISA are investigating.
This is a textbook supply chain attack on privileged access infrastructure: rather than breaching the Treasury directly, attackers targeted a vendor that had elevated, trusted access into Treasury systems. Vendors supporting privileged remote access tools typically hold keys that override normal user-level security controls — precisely the kind of access you need to move laterally and reach sensitive workstations without triggering per-user authentication. The incident follows the Salt Typhoon campaign, in which Chinese threat actors were found embedded in major US telecoms — with access to SMS messages in plaintext, since SMS is never end-to-end encrypted and sits in carrier databases during routing.
The pattern is clear: Chinese APTs are running parallel, simultaneous campaigns against US government and critical infrastructure — telecom backbone, Treasury, likely others not yet disclosed. The risk from third-party access is that auditing vendor privilege levels is less systematic than auditing internal accounts, and stolen vendor keys often carry more access than the vendor actually needs for their stated support function. Least-privilege enforcement on vendor accounts and API keys is the mitigation that would have limited the blast radius here.
3.1 Million Fake GitHub Stars Used to Boost Malware Repositories
Researchers analyzed 20 terabytes of GitHub Archive data — covering 60.5 million user actions and 610 million stars across 310 million repositories — and identified 3.1 million inauthentic stars generated by approximately 278,000 bot or coordinated accounts. The detection method, called StarScout, applies the CopyCatch fraud-detection algorithm to find patterns that don’t match organic human behavior: accounts starring a single repository, groups of accounts starring the same repositories within short time windows, and accounts with minimal activity outside of starring behavior.
The practical harm is supply chain in nature. GitHub stars signal trust and popularity to developers choosing between packages. A repository with thousands of stars reads as battle-tested and community-vetted. When those stars are purchased, a malicious package can climb the same rankings as a legitimate one — making it more likely that a developer under deadline will install it without scrutinizing the source. Check Point previously documented the Stargazers Ghost Network, an organized service that sold fake stars specifically to push information-stealing malware repositories up the rankings.
The defense is the same as it has always been: stars are a signal, not a guarantee. Check repository age, commit history, maintainer identity, download counts from package managers (npm, PyPI, etc.), and whether the library is actually referenced in downstream legitimate projects. A high star count on a two-month-old repo with one contributor and no forks warrants more scrutiny, not less.
Leave a Reply