GitHub repositories are being attacked and wiped in new extortion scam

(Image credit: Shutterstock / fiskes)

GitHub users are falling victim to an ongoing extortion campaign that threatens to delete their data for good.

Cybersecurity researchers from CronUp have warned of a threat actor with the alias Gitloker breaking into people’s GitHub accounts, stealing the contents, and then wiping the accounts clean.

After that, the attacker would leave a note in the account, inviting the victim for a Telegram chat, where they could negotiate the return of the files, in exchange for money: "I hope this message finds you well. This is an urgent notice to inform you that your data has been compromised, and we have secured a backup," the threat actor says in the ransom note.

Securing your GitHub account

At this time, it is unknown how Gitloker managed to compromise these accounts. BleepingComputer speculates that they’re likely using credentials stolen in earlier attacks. Alternatively, they might have obtained them on the dark web.

Given its huge populairty, GitHub often faces a barrage of different cyberattacks, and users should do their part in securing their files on the platform by enabling two-factor authentication, or setting up a passkey as an alternative to a password-based login. They should review and revoke unauthorized access to SSH keys, deploy keys, and authorized integration, and should verify all email addresses associated with their account.

Finally, they should keep track of security logs and manage webhooks.

Usually, threat actors would try to smuggle malware into GitHub repositories, often by means of typosquatting. They would create a repository with a name almost identical to that of a legitimate package, and use automated bots to give it a high rating and a few solid reviews. After that, they would advertise it in coding communities and similar forums.

Besides GitHub, PyPI is another popular code repository that often struggles to contain hacking campaigns.

More from TechRadar Pro

GitHub under attack — millions of malicious cloud repositories bombard website
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.