GitHub Supply Chain Flood

  • Thread starter jedishrfu
  • Start date
  • #1
14,740
9,085
TL;DR Summary
GitHub has been inundated with a flood of forked repos with embedded malware. They have been able to stem the tide, but their tools are still missing thousands of manually uploaded repos with malware.
https://arstechnica.com/security/20...-of-malicious-repositories-in-ongoing-attack/

GitHub is struggling to contain an ongoing attack that’s flooding the site with millions of code repositories. These repositories contain obfuscated malware that steals passwords and cryptocurrency from developer devices, researchers said.

The malicious repositories are clones of legitimate ones, making them hard to distinguish to the casual eye. An unknown party has automated a process that forks legitimate repositories, meaning the source code is copied so developers can use it in an independent project that builds on the original one. The result is millions of forks with names identical to the original one that add a payload that’s wrapped under seven layers of obfuscation. To make matters worse, some people, unaware of the malice of these imitators, are forking the forks, which adds to the flood.

...
 
  • Informative
  • Like
Likes WWGD, jack action and Borg
Computer science news on Phys.org
  • #2
Good to know.

In general, I usually just fork to maintain a copy that I can examine for coding ideas and I've rarely ever cloned any to my desktop. In the past, I've found that most of the ones that I did try running have just enough odd dependancies that they aren't worth trying to run.

I don't tend to trust what I can't decipher. I've had to deal with hyper-obfuscated code on work projects and really don't trust that when I see it. :oldwink:
 
  • Like
Likes nsaspook
  • #3
The point is that folks are forking the repo and reposting it back to GitHub with embedded obfuscated malware. Developers might go for the forked version and so automatically install malware in their code.

This could apply to maven builds as well where libraries are corrupted with embedded malware. I know docker images have been built with embedded crypto mining capability.

https://blog.sonatype.com/malware-removed-from-maven-central

https://tuxcare.com/blog/unraveling-the-threat-of-new-docker-malware-campaign/

https://www.bleepingcomputer.com/ne...low-hackers-to-escape-docker-runc-containers/

I can see in the near future where AI models trained on this malware crap will be infected with malware and that may be the true purpose of this exercise in polluting the open source pool.
 
  • Sad
Likes Borg
  • #4
Now it's Hugging Face's turn for the malware circus.
Hugging Face, the GitHub of AI, hosted code that backdoored user devices
Code uploaded to AI developer platform Hugging Face covertly installed backdoors and other types of malware on end-user machines, researchers from security firm JFrog said Thursday in a report that’s a likely harbinger of what’s to come.
 
  • #5
I tend to believe these issues (while not that frequent in the past) are now being caused, with a faster frequency) by the amount of data generation we can perform nowadays with large language models.

Sadly, and I hope not, this will become a premium model for Github where free users won't be able to perform repository creation
 
Back
Top