Developer Stephen Lacy stirred up the community when he announced on Twitter that he had discovered a “massive malware attack” on GitHub that affected about 35,000 repositories. However, it turned out that it was not about compromise or hacking: the discovered repositories turned out to be forks (copies) of other projects created specifically for the distribution of malware.
Lacey’s original tweet really alarmed the community, as in it the researcher claimed to have found that 35,000 repositories were infected with malware, and the attack affected such well-known projects as crypto, golang, python, js, bash, docker and k8s. Unfortunately, many didn’t read past the first post, and in a subsequent thread, Lacy explained exactly what was going on.
While forking is a common practice and even encouraged among developers, in this case, attackers create copies of other people’s projects and infect them with malicious code in order to attack unsuspecting developers through these malicious clones.
It all started when Lacy was looking into an open source project “found through Google” and noticed the following URL in the code: hxxp://ovz1.j19544519.pr46m.vps.myjino[.]ru. As it turns out, a GitHub search turns up this URL in over 35,000 files in a wide variety of repositories.
Bleeping Computer journalists note that this number reflects the number of suspicious files, not infected repositories, so Lacy’s initial estimate was not entirely correct. So, out of 35,788 search results, more than 13,000 results were obtained from one repository – redhat-operator-ecosystem.
After Lacey’s message, many experts began to figure out what exactly he had discovered. For example, James Tucker found that cloned repositories containing a malicious URL extracted user environment variables and were also equipped with a one-line backdoor. Thus, hackers could not only steal important secrets, including API keys, tokens, credentials from Amazon AWS, and cryptographic keys, but also execute arbitrary code on infected systems.
Bleeping Computer journalists write that the vast majority of clone repositories appeared within the last month (from six to twenty days ago), however, some repositories with malicious commits date back to 2015, that is, they were probably hacked.
However, the most recent commits containing the malicious URL already come primarily from defenders, including threat analyst Florian Roth, who created the Sigma rules to detect malicious code. Unfortunately, not everyone has figured out what is going on yet, and some GitHub users have started to falsely complain about the Sigma repository, considering it to be malicious.
Over the past few hours, GitHub has removed almost all malicious clone repositories from its platform, according to Lacey and journalists.