Millions of developers and users are on alert as the popular code-sharing platform GitHub faces a large-scale attack. Security researchers at Apiiro have identified a concerning trend where malicious actors are targeting GitHub repositories, potentially compromising over 100,000 projects.
Massive Malware Campaign Targets Over 100,000 GitHub Repositories
The attack involves a technique called “malicious repository obfuscation” where attackers clone legitimate repositories, inject harmful code, and re-upload them to the platform. These tampered repositories can then be downloaded by unsuspecting users, potentially compromising their systems or infecting them with malware.
The report by Apiiro highlights several factors making GitHub vulnerable to such attacks. The platform’s ease of use, readily available APIs, and the presence of numerous hidden repositories create an ideal environment for attackers to launch “watering hole attacks.”
In these attacks, attackers target popular and frequently downloaded repositories. They inject malicious code into these repositories and then re-upload them. To further amplify their reach, attackers create numerous fake forks of the compromised repositories using automated methods. These fake forks can then be spread through social media, online forums, and other channels, tricking users into downloading the malicious versions.
The report acknowledges that GitHub has been notified and has taken down most of the identified malicious repositories. However, the activity is ongoing, with attackers constantly attempting to inject harmful code. This ongoing struggle resembles a game of whack-a-mole, where GitHub plays catch-up, removing malicious code after it has already been uploaded, potentially putting users at risk.
The report further reveals that this attack campaign began in May 2023 and has been steadily growing. This continuous activity raises concerns that even more repositories and users could be compromised in the future. Developers and users are advised to exercise caution when downloading code from GitHub, especially from unfamiliar repositories. It’s crucial to verify the source and legitimacy of the code before integrating it into projects.
RELATED:
- Microsoft teams with Intel on 18A process chip development
- Older CPUs or PCs may lose out on future Windows 11 updates
- Best of MWC 2024: AI Phone, Transparent Laptop, 3D Tablet & More
- Big Discount: AOOSTAR R1 N100 NAS Mini PC Only For $159
- Get latest Oneplus 12 Phone for $699 on Geekwills
(Source)
