Thousands of GitHub repositories were forked (copied) with their clones altered to include malware, a software engineer discovered today.
While cloning open source repositories is a common development practice and even encouraged among developers, this case involves threat actors creating copies of legitimate projects but tainting these with malicious code to target unsuspecting developers with their malicious clones.
GitHub has purged most of the malicious repositories after receiving the engineer’s report.
35,000 GitHub projects not hijacked
Today, software developer Stephen Lacy left everyone baffled when he claimed having discovered a “widespread malware attack” on GitHub affecting some 35,000 software repositories.
Contrary to what the original tweet seems to suggest, however, “35,000 projects” on GitHub have not been affected or compromised in any manner.
Rather, the thousands of backdoored projects are copies (forks or clones) of legitimate projects purportedly made by threat actors to push malware.
Official projects like crypto, golang, python, js, bash, docker, k8s, remain unaffected. But, that is not to say, the finding is unimportant, as explained in the following sections.
Software engineer Stephen Lacy first publicized the finding (Twitter)
While reviewing an open source project Lacy had “found off a google search,” the engineer noticed the following URL in the code that he shared on Twitter:
BleepingComputer, like many, observed that when searching GitHub for this URL, there were 35,000+ search results showing files containing the malicious URL. Therefore, the figure represents the number of suspicious files rather than infected repositories:
We further discovered, out of the 35,788 code results, more than 13,000 search results were from a single repository called ‘redhat-operator-ecosystem.’
This repository, seen by BleepingComputer this morning, appears to have now been removed from GitHub, and shows a 404 (Not Found) error.
The engineer has since issued corrections and clarifications [1, 2] to his original tweet.
Malicious clones equip attackers with remote access
Developer James Tucker pointed out that cloned repositories containing the malicious URL not only exfiltrated a user’s environment variables but additionally contained a one-line backdoor.
Exfiltration of environment variables by itself can provide threat actors with vital secrets such as your API keys, tokens, Amazon AWS credentials, and crypto keys, where applicable.
But, the single-line instruction (line 241 above) further allows remote attackers to execute arbitrary code on systems of all those who install and run these malicious clones.
As far as the timeline of this activity goes, we observed deviating results.
The vast majority of forked repositories were altered with the malicious code sometime within the last month—with results ranging from six to thirteen days to twenty days ago. However, we did observe some repositories with malicious commits dated as far back as 2015.
The most recent commits containing the malicious URL made to GitHub today are mostly from defenders, including threat intel analyst Florian Roth who has provided Sigma rules for detecting the malicious code in your environment.
Ironically, some GitHub users began erroneously reporting Sigma’s GitHub repo, maintained by Roth, as malicious on seeing the presence of malicious strings (for use by defenders) inside Sigma rules.
GitHub has removed the malicious clones from its platform as of a few hours ago, BleepingComputer can observe.
As a best practice, remember to consume software from the official project repos and watch out for potential typosquats or repository forks/clones that may appear identical to the original project but hide malware.
This can become more difficult to spot as cloned repositories may continue to retain code commits with usernames and email addresses of the original authors, giving off a misleading impression that even newer commits were made by the original project authors. Open source code commits signed with GPG keys of authentic project authors are one way of verifying the authenticity of code.