Hackers can spoof commit metadata to create false GitHub repositories

Checkmarx security researchers have warned about an emerging new supply chain attack tactic involving spoofed metadata commits to present malicious GitHub repositories as legit.

According to the IT security researchers at Checkmarx, this attack technique allows threat actors to deceive developers into using malicious code. In the Gut version control system, commits are vital elements as these record every change made to the documents, the timeline of change, and who made the change.

Moreover, each commit boasts a unique hash or ID. Developers must remain cautious as threat actors can falsify some data from GitHub repositories to enhance their track record and make them appealing.

How can Commit Metadata Deceive Developers?

Researchers identified that a threat actor could tamper with commit metadata to make a repository appear older than it is. Or else, they can deceive developers by promoting the repositories as trusted since reputable contributors are maintaining them. It is also possible to spoof the committer’s identity and attribute the commit to a genuine GitHub account.

For your information, with open source software, developers can create apps faster and even skip third-party’s code auditing if they are sure that the source of software is reliable. They can choose GitHub repositories maintained actively, or their contributors are trustworthy.

Checkmarx researchers explained in their blog post that threat actors could manipulate the timestamps of the commits, which are listed on GitHub. Fake commits can also be generated automatically and added to the user’s GitHub activity graph, allowing the attacker to make it appear active on the platform for a long time. The activity graph displays activity on private and public repositories, making it impossible to discredit the fake commits.

“This deception technique can be hard to detect as well.”


Attack Tactics Explained

Threat actors will retrieve the email ID of the target account, which is typically hidden if the operator has enabled this feature. Using specific commands, the malicious user can replace the original email and username with the spoofed version in the Git CLI to improve the repository’s reputation.

It is worth noting that the impersonated user won’t receive any notification that their identity is used for nefarious purposes. In order to present the project as trustable, threat actors may use this technique multiple times, include reputed contributors to the repository’s contributor section, and make the project appear highly legit.


Fake metadata misleads developers to use code they otherwise would avoid, and threat actors will gain credibility. To prevent the attack, Checkmarx researchers urged that developers must sign their commits and always keep the vigilant mode enabled on users to ensure optimum safety of the code ecosystem. In the vigilant mode, their commits’ verification status is on display, which is a compelling feature against the supply chain attack.

  1. New backdoor malware hits Slack and Github platforms
  2. GitHub Will Now Support Security Keys for SSH Git Operations
  3. Hackers use Github bot to steal $1,200 in ETH within 100 seconds
  4. GitHub: Hackers Stole OAuth Access Tokens to Target Dozens of Firms
  5. GitHub Blocks Accounts of Two Large Russian Banks Amid US Sanctions
Related Posts