GitHub is struggling to contain an ongoing attack that’s...

GitHub is struggling to contain an ongoing attack that’s flooding the site with millions of code repositories. These repositories contain obfuscated malware that steals passwords and cryptocurrency from developer devices, researchers said.

The malicious repositories are clones of legitimate ones, making them hard to distinguish to the casual eye. An unknown party has automated a process that forks legitimate repositories, meaning the source code is copied so developers can use it in an independent project that builds on the original one. The result is millions of forks with names identical to the original one that add a payload that’s wrapped under seven layers of obfuscation. To make matters worse, some people, unaware of the malice of these imitators, are forking the forks, which adds to the flood.

“Most of the forked repos are quickly removed by GitHub, which identifies the automation,” Matan Giladi and Gil David, researchers at security firm Apiiro, wrote Wednesday. “However, the automation detection seems to miss many repos, and the ones that were uploaded manually survive. Because the whole attack chain seems to be mostly automated on a large scale, the 1% that survive still amount to thousands of malicious repos.”

https://arstechnica.com/security/2024/02/github-besieged-by-millions-of-malicious-repositories-in-ongoing-attack/

Like 28 February at 22:48 | Open on infosec.exchange

46 comments

Aaron

@dangoodin Maybe the whole software world shifting to the model of "Github is also your program's official website" was a bad idea.

28 February at 23:07 | Open on chirp.zadzmo.org

C++ Guy

@dangoodin How much longer would they have got away with it if they'd forked few enough repos, at a low enough rate, to go unnoticed? It makes me wonder if this is mostly about attacking or discrediting GitHub.

28 February at 23:09 | Open on infosec.space

John T. Johnson, PhD :ublue:

@CppGuy Maybe they did.

29 February at 14:00 | Open on fosstodon.org

Fahri Reza

It's going to make it harder for regular devs to start their own project @dangoodin

The only things stopping the bad guys with malwares are the good guys with malwares.

28 February at 23:13 | Open on mastodon.social

phi1997

@dangoodin
Putting the vast majority of git repos on one platform was a terrible idea

28 February at 23:32 | Open on mastodon.social

Chris L

@phi1997 @dangoodin fortunately git is open and distributed with every clone. Hopefully people aren’t using GitHub CI or issues. Probably some git actions to jenkinsfiles transpilers are being written already.

28 February at 23:47 | Open on mastodon.online

Ray C. Keith

@jayalane @phi1997 @dangoodin

git itself could be hacked someday soon to insert malicious code.

And compilers, text editors, etc.

Compilers that insert malicious code have been tested. If disassemblers and debuggers are also hacked, you'd never know.

A writer of SF once predicted computers which had normal memory for data and hardware-protected memory for code (both RAM and disks were segregated thusly.)

programmers and their specially-made code-writable computers were kept under lock and key and carefully monitored... like a printers and printing presses under Nazi Germany or USSR-controlled East Germany.

Obviously, networks were also forbidden to normal users.

@jayalane @phi1997 @dangoodin

git itself could be hacked someday soon to insert malicious code.

And compilers, text editors, etc.

Compilers that insert malicious code have been tested. If disassemblers and debuggers are also hacked, you'd never know.

A writer of SF once predicted computers which had normal memory for data and hardware-protected memory for code (both RAM and disks were segregated thusly.)

Expand text...

29 February at 1:35 | Open on techhub.social

🇳𝗮ꜟ𝖼𝘩

@phi1997 @dangoodin
Another reason why huge monolithic servers are a bad idea. They are a single point of attack with potentially huge rewards for bad guys.

29 February at 7:00 | Open on fosstodon.org

Longplay Games :pc_color: 🎮

@dangoodin Gee, imagine how much this must be poisoning their attempt to mine Github for AI driven code.

28 February at 23:47 | Open on mstdn.games

Jon

@Longplay_Games think of the malware that will emerge from copilot. That has to be the attack.

29 February at 0:50 | Open on macaw.social

Longplay Games :pc_color: 🎮

@jongary When it comes to letting an AI write your code...

29 February at 1:06 | Open on mstdn.games

armadillo7672

@Longplay_Games @dangoodin this is exactly where my thoughts went as well. A brilliant attempt to poison the AI training data.

29 February at 5:07 | Open on universeodon.com

Gabriel Pettier

@Longplay_Games @dangoodin oh great "most projects have this stuff, so your project should, too" 🥲

29 February at 6:49 | Open on mas.to

Longplay Games :pc_color: 🎮

@tshirtman @dangoodin Thanks, VSCode, for auto-including an escalation framework. That's a handy time saver

29 February at 13:40 | Open on mstdn.games

ticho

@dangoodin Somehow, I can't seem to bring myself to care that a Microsoft property is being attacked. That company can burn in hell for all I care.

29 February at 0:13 | Open on mas.to

Mathias

@ticho @dangoodin The target of the attack are the devs using Github, respectively their users. Microsoft/Github is just a proxy.

29 February at 6:36 | Open on chaos.social

ticho

@matthegap @dangoodin A good point, thank you.

29 February at 14:39 | Open on mas.to

stux⚡

@dangoodin I mostly host my stuff on my own self-hosted closed GitLab but this news hurts

Such people are the reason we can’t have nice things

29 February at 0:54 | Open on mstdn.social

Some Wandom Noob

@dangoodin WHICH RESEARCHERS?!

29 February at 1:04 | Open on mastodon.social

Graham Spookyland🎃/Polynomial

@SomeWandomNoob @dangoodin the researchers are linked in the article, right at the start.

https://apiiro.com/blog/malicious-code-campaign-github-repo-confusion-attack/

29 February at 2:19 | Open on chaos.social

4TH3I57 EV L0V3R/ / /FL/US

@dangoodin welp.. first EV ( private owner in Cuba got one..

and South Korea ? is best buddies compared to NK w. Cuba.. and Cuba - Russia - cocaine toxic Venezuela and and

29 February at 1:16 | Open on mastodon.online

Luke Nelson

@dangoodin
GitHub: *makes AI tools*
GitHub: *has to defend against automated attacks likely co-written by AI*
GitHub: *surprised pikachu face*

29 February at 1:56 | Open on social.nelson.zone

ansible42

@luc122c @dangoodin please pay for the hosting and now you need to pay a protection fee

29 February at 3:01 | Open on social.ridetrans.it

Kevin

@luc122c @dangoodin AI vs AI.... FIGHT!

29 February at 3:20 | Open on dice.camp

Pixelcode 🇺🇦

@luc122c @dangoodin Why do you suspect AI?

29 February at 16:59 | Open on social.tchncs.de

Andrew Leer

@dangoodin Well, it's been around 10 or 15 years right?

Sounds about time for a #platfall and it's already plenty #enshitified

29 February at 2:15 | Open on discuss.systems

Andrew Leer

@dangoodin Maybe it doesn't deserve to exist.

29 February at 2:16 | Open on discuss.systems

DELETED

@dangoodin

Me watching Microsoft choke on their acquisition and A.I. technology like this scene from Fifth Element

https://youtu.be/krcNIWPkNzA?si=wE3u2nqpVBQunHU9

29 February at 2:44 | Open on mindly.social

Delta Wye

@silo_bear @dangoodin
“You’re a monster, Zorg.”
“I know.”
(Great underrated film.)

29 February at 12:37 | Open on mstdn.social

DELETED

@dangoodin Why do I get a feeling a YouTuber Kevin Fang is going to make a video of this catastrophe?

29 February at 3:57 | Open on mastodon.social

Daniel Hakimi

@dangoodin lol, how long until copilot starts giving people malware?

29 February at 4:37 | Open on mastodon.social

Wayne Werner

@DanHakimi @dangoodin well I know someone I follow got some sweet sweet SQL injection attacks in some of theirs, so

29 February at 5:24 | Open on fosstodon.org

Embers :ms_transgender_flag: :Blobhaj_Ghostie_Alive:

@dangoodin may they train their LLMs on that shite

29 February at 5:18 | Open on blobfox.coffee

Chip Butty

@dangoodin was copilot involved?

29 February at 7:27 | Open on functional.cafe

Dave Ackley

@dangoodin
centralization -> efficiency -> leverage -> exploitation -> decentralization -> robustness -> overhead ->

29 February at 7:27 | Open on hachyderm.io

Paul Sutton

@dangoodin

There seems to be a lot of calls from the Uk military circles we need to boost the number of troops so we are ready to counter threats from hostile states. While I agree with this, it seems that there is an equal threat from hostile states in terms of cyber attacks, which may actually be the first step in any new conflict as a cyber attack can disrupt essential infrastructure.

Calls for an increase in or cyber defenses seem to be falling on deaf ears, despite the fact criminals are now using more and more sophisticate techniques to catch victims.

If OpenAI can be sued for copyright infringement, can they be equally held accountable if their technolgy is used to inpersonate a persons voice, or images (photo, video), perhaps now they have created this technology they need to be held to account for what people use it for.

At some point in the not too distant future, I can see a situaion where a fake video leads to a miscalculation or misunderstanding that starts a much wider conflict or situation that once started can't easily be resolved.

@dangoodin

Expand text...

29 February at 8:49 | Open on qoto.org

smallcircles (Humanity Now 🕊)

@dangoodin

CC'ing @Codeberg and @forgejo as well for awareness.

In the HN discussion about this issue #Codeberg is mentioned as probably too small for malicious actors to implement their scripts for, but it only needs one fellow having some extra time and expand their campaign.

https://news.ycombinator.com/item?id=39545676

29 February at 10:11 | Open on social.coop

KasTas

@dangoodin forcing co-pilot to learn some new tricks on doing malware instead of some boilerplate code like linked list?

29 February at 10:25 | Open on river.group.lt

Central Illumination Agency

@dangoodin Well that’s not good 😳

#github

29 February at 11:00 | Open on chaos.social

Chris Beattie

@dangoodin I manually reported one of these, named Adobe Sign. Took GitHub nearly a week to take it down. 1 week times thousands of repos = one heck of a big problem!

29 February at 15:14 | Open on infosec.exchange

fool

@dangoodin reminds me why keeping things small and separate was an unintentionally good idea

29 February at 15:43 | Open on mastodon.world

Orca🌻 | 🏴🏳️‍⚧️

@dangoodin@infosec.exchange I sincerely hope this also be a wake up call for better moderation tools in selfhosted code forge solutions :anenw20:

29 February at 16:11 | Open on nya.one

DELETED

@dangoodin I wonder how they get around 2FA on such a large scale?

29 February at 16:57 | Open on emacs.ch

noplasticshower

@dangoodin wow. Good thing it's all open source???! Lol.

29 February at 17:15 | Open on zirk.us

Bill Zaumen

@dangoodin I' sort of wonder if a reason for someone to put malware on github is to steal developers' GPG keys, which would allow one to compromise a lot more than a single library or application.

29 February at 17:36 | Open on fosstodon.org

Gillytron 🐊

Folks need to take this more seriously. Make sure you’re checking the source of your dependencies. Check for signed commits. Inspect the source code. Open source is provided as it is. It’s your job as the “consumer” to validate and weigh the risks.

29 February at 20:09 | Open on infosec.exchange