GitHub under attack — millions of malicious cloud repositories bombard website

GitHub Webpage
(Image credit: Gil C / Shutterstock)

Hackers have found a way to automate duplicating malicious GitHub packages, bombarding the open source cloud repository with millions of repos capable of stealing sensitive information and information cookies.

Cybersecurity researchers from Apiiro Matan Giladi and Gil David explained how since the middle of 2023, hackers have engaged in a typosquatting attack against software developers on an enormous scale. First, they would clone an existing repository, possibly one that’s popular among the developers (such as WhatsappBOT, discord-boost-too, and similar), and infect it with a malware loader.

The loader, hidden behind seven layers of obfuscation, drops a modified version of the open source BlackCap-Grabber. This infostealer grabs authentication cookies and login credentials from a wide array of apps, and sends them to a server under the attackers’ control. BlackCap-Grabber also performs “a long series of additional malicious activities,” the researchers added.

Hundreds of thousands of repos

Once the loader is set up and in place, the attackers will upload it back to GitHub with an identical name, in an attempt to get unsuspecting developers to download the wrong one. Then, they would automatically fork the repository thousands of times, resulting in hundreds of thousands of malicious repositories sitting on the platform. The attack impacted more than 100,000 GitHub repositories, the researchers said, speculating that the actual number is in the millions. 

Finally, the attackers would promote the malicious packages on the web, in different forums, discord channels, and similar, to get as many people to download them.

To make matters even worse, some developers started forking the malicious forks themselves, unknowingly further propagating the campaign.

GitHub has a way to tackle the problem, it was said. Using artificial intelligence, it manages to stop the vast majority of cloned packages before ever reaching the platform. However, 1% survive, amounting to “thousands of malicious repos” it was said.

Via Ars Technica

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.