According to the official statement by the organization, the hack attack took place on June 28th at 20:20 UTC. The exact extent of the attack is still unknown however attempts to regain control of the organization and its repositories are underway.
“All Gentoo code hosted on GitHub should for the moment be considered compromised,” said the alert.
The alert further stated that the attack does not affect codes hosted on the Gentoo infrastructure since its ebuild is hosted on their own infrastructure. The organization also assured users that they are fine as long as they are using rsync or webrsync from gentoo.org.
To clarify: this breach does NOT involve the infrastructure by which @Gentoo Linux distributes and updates its software packages. The GitHub repository is just a downstream mirror. https://t.co/y7fSnDayqo
— Jeff Hubbs (@jeffhubbs) June 28, 2018
“Also, the Gentoo-mirror repositories including metadata are hosted under a separate Github organization and likely not affected as well,” Gentoo wrote on its website.
Gentoo developer Francisco Blas Izquierdo Riera said that the attack allowed hackers to replace the portage and musl-dev trees with malicious ebuilds intended to erase all files from the system.
“Whilst the malicious code shouldn’t work as is and GitHub has now removed the organization, please don’t use any ebuild from the GitHub mirror contained before 28/06/2018, 18:00 GMT until new warning,” Riera warned.
If you are a Gentoo user visit us again as this article will be updated once the organization comes up with additional information detailing how the attack took place.
This is not the first time when Github accounts have been targeted. Last year, Github repositories’ owners were hit by phishing emails that contained malware capable of stealing data through keyloggers and modules that take screenshots.