Email or username:

Password:

Forgot your password?
Dan Goodin

GitHub is struggling to contain an ongoing attack that’s flooding the site with millions of code repositories. These repositories contain obfuscated malware that steals passwords and cryptocurrency from developer devices, researchers said.

The malicious repositories are clones of legitimate ones, making them hard to distinguish to the casual eye. An unknown party has automated a process that forks legitimate repositories, meaning the source code is copied so developers can use it in an independent project that builds on the original one. The result is millions of forks with names identical to the original one that add a payload that’s wrapped under seven layers of obfuscation. To make matters worse, some people, unaware of the malice of these imitators, are forking the forks, which adds to the flood.

“Most of the forked repos are quickly removed by GitHub, which identifies the automation,” Matan Giladi and Gil David, researchers at security firm Apiiro, wrote Wednesday. “However, the automation detection seems to miss many repos, and the ones that were uploaded manually survive. Because the whole attack chain seems to be mostly automated on a large scale, the 1% that survive still amount to thousands of malicious repos.”

arstechnica.com/security/2024/

46 comments
Aaron

@dangoodin Maybe the whole software world shifting to the model of "Github is also your program's official website" was a bad idea.

C++ Wage Slave

@dangoodin How much longer would they have got away with it if they'd forked few enough repos, at a low enough rate, to go unnoticed? It makes me wonder if this is mostly about attacking or discrediting GitHub.

Fahri Reza

It's going to make it harder for regular devs to start their own project @dangoodin

The only things stopping the bad guys with malwares are the good guys with malwares.

phi1997

@dangoodin
Putting the vast majority of git repos on one platform was a terrible idea

Chris L

@phi1997 @dangoodin fortunately git is open and distributed with every clone. Hopefully people aren’t using GitHub CI or issues. Probably some git actions to jenkinsfiles transpilers are being written already.

Ray C. Keith

@jayalane @phi1997 @dangoodin

git itself could be hacked someday soon to insert malicious code.

And compilers, text editors, etc.

Compilers that insert malicious code have been tested. If disassemblers and debuggers are also hacked, you'd never know.

A writer of SF once predicted computers which had normal memory for data and hardware-protected memory for code (both RAM and disks were segregated thusly.)

programmers and their specially-made code-writable computers were kept under lock and key and carefully monitored... like a printers and printing presses under Nazi Germany or USSR-controlled East Germany.

Obviously, networks were also forbidden to normal users.

@jayalane @phi1997 @dangoodin

git itself could be hacked someday soon to insert malicious code.

And compilers, text editors, etc.

Compilers that insert malicious code have been tested. If disassemblers and debuggers are also hacked, you'd never know.

A writer of SF once predicted computers which had normal memory for data and hardware-protected memory for code (both RAM and disks were segregated thusly.)

🇳𝗮ꜟ𝖼𝘩

@phi1997 @dangoodin
Another reason why huge monolithic servers are a bad idea. They are a single point of attack with potentially huge rewards for bad guys.

DELETED

@dangoodin Gee, imagine how much this must be poisoning their attempt to mine Github for AI driven code.

Jon

@Longplay_Games think of the malware that will emerge from copilot. That has to be the attack.

DELETED

@jongary When it comes to letting an AI write your code...

armadillo7672

@Longplay_Games @dangoodin this is exactly where my thoughts went as well. A brilliant attempt to poison the AI training data.

Gabriel Pettier

@Longplay_Games @dangoodin oh great "most projects have this stuff, so your project should, too" 🥲

DELETED

@tshirtman @dangoodin Thanks, VSCode, for auto-including an escalation framework. That's a handy time saver

ticho

@dangoodin Somehow, I can't seem to bring myself to care that a Microsoft property is being attacked. That company can burn in hell for all I care.

Mathias

@ticho @dangoodin The target of the attack are the devs using Github, respectively their users. Microsoft/Github is just a proxy.

stux⚡

@dangoodin I mostly host my stuff on my own self-hosted closed GitLab but this news hurts

Such people are the reason we can’t have nice things

Florida atheist:

@dangoodin welp.. first EV ( private owner in Cuba got one..

and South Korea ? is best buddies compared to NK w. Cuba.. and Cuba - Russia - cocaine toxic Venezuela and and

Luke Nelson

@dangoodin
GitHub: *makes AI tools*
GitHub: *has to defend against automated attacks likely co-written by AI*
GitHub: *surprised pikachu face*

Andrew Leer

@dangoodin Well, it's been around 10 or 15 years right?

Sounds about time for a #platfall and it's already plenty #enshitified

DELETED

@dangoodin

Me watching Microsoft choke on their acquisition and A.I. technology like this scene from Fifth Element

youtu.be/krcNIWPkNzA?si=wE3u2n

Delta Wye

@silo_bear @dangoodin
“You’re a monster, Zorg.”
“I know.”
(Great underrated film.)

DELETED

@dangoodin Why do I get a feeling a YouTuber Kevin Fang is going to make a video of this catastrophe?

Daniel Hakimi

@dangoodin lol, how long until copilot starts giving people malware?

Wayne Werner

@DanHakimi @dangoodin well I know someone I follow got some sweet sweet SQL injection attacks in some of theirs, so

Dave Ackley

@dangoodin
centralization -> efficiency -> leverage -> exploitation -> decentralization -> robustness -> overhead ->

Paul Sutton

@dangoodin

There seems to be a lot of calls from the Uk military circles we need to boost the number of troops so we are ready to counter threats from hostile states. While I agree with this, it seems that there is an equal threat from hostile states in terms of cyber attacks, which may actually be the first step in any new conflict as a cyber attack can disrupt essential infrastructure.

Calls for an increase in or cyber defenses seem to be falling on deaf ears, despite the fact criminals are now using more and more sophisticate techniques to catch victims.

If OpenAI can be sued for copyright infringement, can they be equally held accountable if their technolgy is used to inpersonate a persons voice, or images (photo, video), perhaps now they have created this technology they need to be held to account for what people use it for.

At some point in the not too distant future, I can see a situaion where a fake video leads to a miscalculation or misunderstanding that starts a much wider conflict or situation that once started can't easily be resolved.

@dangoodin

There seems to be a lot of calls from the Uk military circles we need to boost the number of troops so we are ready to counter threats from hostile states. While I agree with this, it seems that there is an equal threat from hostile states in terms of cyber attacks, which may actually be the first step in any new conflict as a cyber attack can disrupt essential infrastructure.

smallcircles (Humanity Now 🕊)

@dangoodin

CC'ing @Codeberg and @forgejo as well for awareness.

In the HN discussion about this issue #Codeberg is mentioned as probably too small for malicious actors to implement their scripts for, but it only needs one fellow having some extra time and expand their campaign.

news.ycombinator.com/item?id=3

KasTas

@dangoodin forcing co-pilot to learn some new tricks on doing malware instead of some boilerplate code like linked list?

Chris Beattie

@dangoodin I manually reported one of these, named Adobe Sign. Took GitHub nearly a week to take it down. 1 week times thousands of repos = one heck of a big problem!

fool

@dangoodin reminds me why keeping things small and separate was an unintentionally good idea

Orca🌻 | 🏴🏳️‍⚧️

@dangoodin@infosec.exchange I sincerely hope this also be a wake up call for better moderation tools in selfhosted code forge solutions ​:anenw20:​

DELETED

@dangoodin I wonder how they get around 2FA on such a large scale?

noplasticshower

@dangoodin wow. Good thing it's all open source???! Lol.

Bill Zaumen

@dangoodin I' sort of wonder if a reason for someone to put malware on github is to steal developers' GPG keys, which would allow one to compromise a lot more than a single library or application.

Gillytron 🐊

Folks need to take this more seriously. Make sure you’re checking the source of your dependencies. Check for signed commits. Inspect the source code. Open source is provided as it is. It’s your job as the “consumer” to validate and weigh the risks.

Go Up