Millions Of GitHub Repos Found Infected With Malicious Code

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

A recent report by security firm Apiiro has revealed that a “repo confusion” attack has compromised more than 100,000 repositories on GitHub.

This type of attack involves exploiting a flaw in the way that Git, the version control system used by GitHub, handles repository names and can lead to malicious code being injected into legitimate repositories.

This highlights the need for improved security measures to prevent such attacks and protect the integrity of code stored on GitHub.

This attack technique exploits the expansive scale and unguarded accessibility of the GitHub platform to launch attacks on unprepared developers.

How Does It Work?

  1. Cloning Popular Repos: Attackers target popular repositories like TwitterFollowBot, WhatsappBOT, etc., and create copies of them.
  2. Injecting Malware: These copies are infected with malware designed to steal login credentials, browser data, and other sensitive information.
  3. Uploading to GitHub: The infected repositories are uploaded back to GitHub with identical names, hoping unsuspecting developers will choose them by mistake.
  4. Spreading the Deception: Attackers use automation to create thousands of forks (copies) of these malicious repositories and promote them through online forums and platforms frequented by developers

Upon utilization of the tainted repos, unsuspecting developers inadvertently unpack a hidden payload consisting of seven layers of obfuscation. 

This process involves extracting malicious Python code and an executable binary, specifically a modified version of BlackCap-Grabber.

The malevolent code is designed to collect sensitive information such as login credentials from various applications, browser-related data like passwords and cookies, as well as other confidential information.

Afterward, it transmits all the gathered data to the command-and-control server of the attackers. This sets off a cascade of additional malicious activities.

The Scope Of The Attack

According to Apiiro’s research, an attack campaign that started in mid-2023 has been gaining momentum in recent months.

The confirmed count of infected repositories has surpassed 100,000, and there is a possibility that the actual number could be in the millions.

  • May 2023: Malicious packages containing parts of the current payload appear on PyPI (Python Package Index).
  • July – August 2023: Attackers shift to directly uploading infected repositories to GitHub after PyPI removes the malicious packages.
  • November 2023 – Present: Over 100,000 infected repositories detected, with the number constantly growing.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter