Skip to content Skip to footer

GitHub Struggles to Fight Malicious Attack Flooding Site With Malware-Laden Repositories

In recent news, it has been reported that , a popular -based hosting service, is currently facing a significant attack, flooding the site with millions of malicious code repositories. Researchers say these repositories contain obfuscated malware that steals passwords and cryptocurrency from developer devices.

The attack is being carried out by an unknown party who has automated a process of forking legitimate repositories. In this process, the source code is copied from a legitimate repository, which allows developers to use it in an independent project that builds on the original one. The result is millions of forks with names identical to the original but with an added payload wrapped under seven layers of obfuscation. To make matters worse, some people are forking the forks, which adds to the flood of malicious repositories.

While most malicious repositories are quickly removed by , which identifies the automation, the automation detection misses many repositories. Moreover, the ones that were uploaded manually survive, making it difficult to contain the attack. Because the whole attack chain is automated chiefly on a large scale, the 1% that survive still amounts to thousands of malicious repositories.

The number of repositories uploaded or forked before removes them is likely in the millions. The researchers have estimated that the attack “impacts more than 100,000 repositories”. Given the constant churn of new repositories being uploaded and 's removal, it is hard to estimate precisely how many of each there are.

officials did not dispute the researchers' estimates. They provided a statement in which they emphasized their commitment to providing developers with a safe and secure platform. They employ teams dedicated to detecting, analyzing, and removing content and accounts that violate their Acceptable Use Policies. They also encourage customers and community members to report abuse and spam.

This is not the first time supply-chain attacks targeting developer platform users have been reported. Such attacks had existed since at least 2016, when a college student uploaded custom scripts to RubyGems, PyPi, and NPM. The scripts bore names similar to widely used legitimate packages but otherwise had no connection to them. This supply-chain attack is often called because it relies on users making minor errors when choosing the name of a package they want to use.

In 2021, a researcher used a similar technique to successfully execute counterfeit code on networks belonging to Apple, Microsoft, Tesla, and dozens of other companies. The method, known as dependency confusion or namespace confusion attack, started by placing malicious code packages in an official public repository and giving them the same name as dependency packages Apple and the other targeted companies use in their products. Automated scripts inside the package managers employed by the companies then automatically downloaded and installed the counterfeit dependency code.

The technique observed by Apiiro, the security firm that reported the attack, is known as repo confusion. Like dependency confusion attacks, malicious actors get their target to download their negative version instead of the real one. However, dependency confusion attacks take advantage of how package managers work. In contrast, repo confusion attacks rely on humans to mistakenly pick the malicious version over the real one, sometimes employing social engineering techniques.

The campaign currently targeting GitHub began last May and was ongoing at the time of the report. The attackers are cloning existing repositories, infecting them with malware loaders, uploading them back to GitHub with identical names, and automatically forking each one thousands of times. They also covertly promote them online via forums, Discord, etc.

Developers who use any of the malicious repositories in the campaign unpack a payload buried under seven layers of obfuscation to receive malicious code and, later, an executable file. The code mainly consists of a modified version of the open-source BlackCap-Grabber. It collects authentication cookies and login credentials from various apps and sends them to a server controlled by the attacker. The researchers said the malicious repo “performs a long series of additional malicious activities.”

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

I don't like the idea that I’m not in control of my lifeNeo

Deitasoft © 2024. All Rights Reserved.