Share this article
Latest news
With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low
Copilot in Outlook will generate personalized themes for you to customize the app
Microsoft will raise the price of its 365 Suite to include AI capabilities
Death Stranding Director’s Cut is now Xbox X|S at a huge discount
Outlook will let users create custom account icons so they can tell their accounts apart easier
GitHub faces large-scale attack posing threats to millions of projects
Verify the source and legitimacy of a code before using it
3 min. read
Published onMarch 4, 2024
published onMarch 4, 2024
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
In a recent development, millions of users and developers on GitHub are on high alert, as the platform is under a large scale attack.
According to security experts at Apiiro, there is a concerning trend which indicates that malicious actors are targeting GitHub repositories, potentially jeopardizing more than 100,000 projects
Apiiro also mentioned stepson how repo confusion attacks happen:
In order to maximize the chances of infection, the malicious actor is flooding GitHub with malicious repos, following these steps:
The attack uses a technique called malicious repository obfuscation, in which attackers clone legit repositories, inject harmful code, and later re-upload them to the GitHub platform.
Attackers usually target popular and frequently downloaded repositories, and to amplify the impact, they create several counterfeit forks of the compromised repositories using automated methods, which are then spread through social media, online forums and more, which tricks users into downloading these malicious repos.
How does the attack work?
These compromised repositories are a threat as unsuspecting users can download them, which might lead to comprising their devices or exposing them malware.
Once malicious repos are used on your device, the hidden payload unpacks 7 layers of obfuscation, involving pulling malicious Python code and a binary executable. The malicious code, would then collect confidential data, including login ids and passwords for apps, browser passwords and cookies. It sends the data back to malicious actors C&C server.
How do I know if I am infected?
To know if you are infected, look for Python patterns and look into the matches:
Next, check if any repos related to the automation of actions on social platforms, gaming, and bots are present, and then remove them. You can also reinstall the repositories after carefully verifying the source or running it in Sandbox first.
In case you suspect you are using a cloned repo, then check your browser password and change all of them related to any financial service, streaming service, crypto service, email service, eBay, Twitter, Amazon, Facebook, Instagram, AliExpress, Discord, YouTube, Spotify, Yahoo, TikTok, Twitch, Express VPN, and Telegram.
The report by Apiiro also talks about some factors, including user-friendly interface, the existence of numerous hidden repositories, and easily accessible APIs, which adds to GitHub’s vulnerability to these types of attacks.
This malicious campaign started inMay 2023, and several malicious repos were uploaded to GitHub between July and August 2023.
In November 2023, Apiiro detected them and notified GitHub, and the platform was successful in identifying and removing malicious repositories.
However, the campaign still continues and attackers are more presistent to inject harmful code into the supply chain. GitHub is continuously trying to detect and remove these codes once uploaded, however, this is still putting users to risk.
Therefore, while the platform is working to make it safe, we developers and users must also exercise caution while downloading any file or code from it, especially if the repositories are familiar to you. Also, make sure you verify the source and code legitimacy before integrating it into your projects.
In case you encounter any malicious repo,GitHub and Apiiro insist you to report it, to prevent it from doing further harm.
Have you encountered any malicious repos so far? If yes, share your experience in the comments section below.
Srishti Sisodia
Windows Software Expert
Srishti Sisodia is an electronics engineer and writer with a passion for technology. She has extensive experience exploring the latest technological advancements and sharing her insights through informative blogs.
Her diverse interests bring a unique perspective to her work, and she approaches everything with commitment, enthusiasm, and a willingness to learn. That’s why she’s part of Windows Report’s Reviewers team, always willing to share the real-life experience with any software or hardware product. She’s also specialized in Azure, cloud computing, and AI.
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Srishti Sisodia
Windows Software Expert
She is an electronics engineer and writer with a passion for technology. Srishti is specialized in Azure, cloud computing, and AI.
