GitHub users are being targeted with malicious copies of legitimate repositories, a cybersecurity researcher recently uncovered.
Preying on developers who are either short on time, reckless, or just overworked, someone has been copying official GitHub projects such as crypto, golang, python, js, bash, docker, k8s, giving them names similar to the original projects, and slightly altering them in a way that they contain malicious code.
The cunning plan was first spotted by software developer Stephen Lacy, who after reviewing one open source project, noticed a malicious URL hidden within. A quick search through GitHub soon established that more than 35,000 repositories carried the same URL.
Original repositories intact
Another developer, James Tucker, further found the repositories were designed to siphon user environment variables, steal API keys, tokens, crypto keys, but also execute arbitrary code on affected endpoints.
This kind of information can be used in identity theft attacks or ransomware campaigns.
GitHub has since removed the malicious repositories and issued a short statement via Twitter, saying: “GitHub is investigating the Tweet published Wed, Aug. 3, 2022. No repositories were compromised. Malicious code was posted to cloned repositories, not the repositories themselves. The clones were quarantined and there was no evident compromise of GitHub or maintainer accounts.”
While the majority of malicious code changes were made in the last couple of months, with some found to be dating back seven years.
GitHub is one of the biggest open source code repositories in the world, and as such, frequently targeted. Developers are advised to always be extra careful when pulling code from the platform, to pay attention to potential typosquats or repository copies, clones, or forks.
One way to make sure they’re looking at the legitimate code is to look for code commits signed with GPG keys of the project’s authors, the publication concludes.
- These are the best antivirus solutions around