35K Malicious Code Insertions in GitHub: Attack or Bug-Bounty Effort?
In the last month, "Pl0xP" cloned several GitHub repositories, adding malicious code to the forks that would attempt to infect developer systems and steal sensitive files that included software keys.
A hacker going by the handle "Pl0xP" cloned a large number of GitHub repositories and slightly changed the cloned repository names, in a typosquatting effort to impersonate legitimate projects — thus potentially infecting any software that imported the code, software experts said today.
The widespread cloning resulted in more than 35,000 insertions of a malicious URL into different code repositories, although the exact number of affected software projects is likely much smaller, software engineer Stephen Lacy stated in an early morning Twitter post. The attack, a variant of dependency confusion, could have caused problems for developers using the fake GitHub repositories without adequate verification of the software source, he said.
If imported, the malicious code executes code on the system, according to Lacy. "This attack will send the ENTIRE ENV of the script, application, laptop (electron apps), to the attacker's server! ENVs include: Security keys; AWS access keys; Crypto keys … much more."
"ENVs" are environment variables, used to store information that developers want to reference in their workflows.
The software engineer found the malicious functionality when he audited a software library that he considered incorporating into his own project, Lacy said.
"I discovered the exploit as I was reviewing a project I found off a Google search," he tweeted. "This is why we don't install random packages off the internet!"
Cloning — or "forking" — is not a new malicious technique, but it's a tricky one.
"Bad actors have already been known in the past for creating cloned/forked popular repositories with malicious code," says Mor Weinberg, Aqua Security software engineer. "This can become quite difficult to spot, as cloned repositories may retain code commits with usernames and email addresses of the original authors, giving off a misleading impression that newer commits were made by the original project authors as well. Open source code commits signed with GPG keys of authentic project authors are one way of verifying the authenticity of code."
Read more about:
Dark ReadingAbout the Authors
You May Also Like