Thousands of GitHub Repositories Cloned in Supply Chain Attack

This hasn’t been a great week for the crypto community. On Monday, the Nomad bridge got exploited and lost nearly $200 million. Then on Wednesday, reported that roughly 8,000 Solana blockchain wallets were hacked, and approx. $8 million worth of crypto drained from its wallets.

Now, the GitHub developer platform has become the victim of a malware attack in which the attackers cloned thousands of repositories. This supply chain attack allows attackers to exfiltrate data and perform RCE.

GitHub Facing Widespread Malware Attack

According to developer Stephen Lucy, around 35,000 GitHub repositories have been cloned with malware. The incident was reported on Wednesday when the developer was confronted with the issue while reviewing a GitHub project found through Google search (search phrase= ovz1.j19544519.pr46m.vps.myjinoru).

Lucy noticed a malicious URL included in the code, and when GitHub repositories were scanned for this URL, it gave over 35,000 results.

It is however worth noting that crypto repositories weren’t targeted in the malware attack. However, these are among the impacted repositories. GitHub was notified about the issue on August 3.

More Github Security News

Were the Repositories Hacked?

Bleeping Computer wrote that the repositories weren’t hacked, but actually, these were copied with their clones. These clones were modified to insert malware.

For your information, cloning open source code is common among developers. But, in this case, the attackers injected malicious code/links into genuine GitHub projects to target innocent users.

Furthermore, over 13,000 search results were obtained from a single repository identified as ‘redhat-operator-ecosystem.’ The malicious link exfiltrated the environment variables, which contain sensitive data like Amazon AWS credentials, API keys, and crypto keys, and also contained a one-line backdoor. The malware also lets remote attackers execute arbitrary code on those systems that install/run the clones.

The attack has impacted many crypto projects. These include Golang, Bash, Python, Docker, JavaScript, and Kubernetes. GitHub confirmed that the original repositories weren’t compromised, and the clones have been quarantined and cleaned.

This attack is difficult to spot because genuine GitHub user accounts are spoofed on commits. It is possible because GitHub requires an email address to attribute commits to users, and they can sign commits with GPG.

Since fakes of legit projects can retain past commits and pull requests from genuine users, it becomes difficult to detect fakes. This supply chain attack will not affect those using original GitHub projects.

  1. Iran’s Largest Steel Producer Hit By Crippling Cyberattack
  2. Access:7 Supply Chain Flaws Impact ATMs, Medical, IoT devices
  3. DDoS Attacks by Hacktivists Disrupted Russian Alcohol Supply Chain
  4. VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware
  5. Cloud video platform abused in web skimmer attack against real estate sites
Related Posts