Developer Stephen Lacy stirred up the community by stating on Twitter that he had uncovered a “massive malware attack” on GitHub that affected about 35,000 repositories. However, it turned out that it was not about compromise or hacking: the discovered repositories turned out to be forks (copies) of other projects created specifically for the distribution of malware.
Let me remind you that we also wrote that Miners abuse GitHub infrastructure, and also that GitHub specialists talked about vulnerabilities in npm.Lacey’s original tweet really alarmed the community, as in it the researcher stated that he had found 35,000 repositories infected with malware, and the attack affected such well-known projects as crypto, golang, python, js, bash, docker and k8s. Unfortunately, many didn’t read past the first post, and in a subsequent thread, Lacy explained exactly what was going on.
While forking is a common practice and even encouraged among developers, in this case, attackers create copies of other people’s projects and infect them with malicious code in order to attack unsuspecting developers through these malicious clones.
It all started when Lacy was looking into some open-source project “found through Google” and noticed the following URL in the code: hxxp://ovz1.j19544519.pr46m.vps.myjino[.]ru. As it turns out, a GitHub search turns up this URL in over 35,000 files in a wide variety of repositories.
Bleeping Computer journalists note that this number reflects the number of suspicious files, not infected repositories, so Lacy’s initial estimate was not entirely correct. So, out of 35,788 search results, more than 13,000 results were obtained from one repository – redhat-operator-ecosystem.
After Lacey’s message, many experts began to figure out what exactly he had discovered. For example, James Tucker found that cloned repositories containing a malicious URL extracted user environment variables and were also equipped with a one-line backdoor.
Thus, hackers could not only steal important secrets, including API keys, tokens, credentials from Amazon AWS, and cryptographic keys, but also execute arbitrary code on infected systems.
Bleeping Computer journalists write that the vast majority of clone repositories appeared within the last month (from six to twenty days ago), however, some repositories with malicious commits date back to 2015, that is, they were probably hacked.
However, the most recent commits containing the malicious URLs already come primarily from defenders, including threat analyst Florian Roth, who created the Sigma rules to detect malicious code. Unfortunately, not everyone has figured out what’s going on yet, and some GitHub users have begun to falsely complain about the Sigma repository, considering it to be malicious.
Over the past few hours, GitHub has removed almost all malicious clone repositories from its platform, according to Lacey and journalists.