GitHub Repositories Weren’t Hacked

While tens of thousands of GitHub repositories were not hacked, as initially suspected, many repositories have been cloned and then laced with poisonous malware content.

Aug 4th, 2022 10:33am by Steven J. Vaughan-Nichols

Featued image for: GitHub Repositories Weren’t Hacked

Featured image by Roman Synkevych 🇺🇦 on Unsplash.

The good news is that tens of thousands of GitHub repositories were not hacked. I repeat, “Not hacked.” But many repositories have been cloned and then laced with poisonous malware content.

In this case, software programmer Stephen Lacy reported on Twitter that he’d found “What seems to be a massive widespread malware attack on @github.

Currently over 35k repositories are infected
So far found in projects including: crypto, golang, python, js, bash, docker, k8s
It is added to npm scripts, docker images and install docs”

Not as Bad as It Looked

After a closer look, however, it turned out it wasn’t nearly as bad as Lacy said. He himself admitted, “Correction, 35k+ ‘code hits’ on github, not infected repositories.”

And, of those, more than 13,000 malicious files were from a single repository. ‘Redhat-operator-ecosystem.’ This repository has since been removed.

Lacy also worked out that the original files had not been compromised or infected. Instead, they were cloned with names that sounded legitimate. This is an all-too-common attack vector. Always make sure that you use the exact, correct repos for your projects. Remember, you’re only one minor typo from a compromised project.

It also turned out that the major repositories, such as bash, crypto, docker, golang, python, and k8s, were left untouched. But don’t think that means you don’t need to worry about this. As the Javascript libraries ‘colors.js’ and `faker.js’ fiasco showed, even small, obscure, damaged code files can cause big damage.

As for this particular case, the malware-infected files both exfiltrated a user’s environment variables and contained a one-line backdoor. The former is bad enough–with it, an attacker could gain access to your API keys, credentials, and crypto keys–but with the latter, an attacker can run arbitrary code on your systems. Just what you always needed, right?

More Smoke Than Fire

Still, this was a case where there was more smoke than fire. As GitHub Security put it, after checking out the report:

* No repositories were compromised

* Malicious code was posted to cloned repositories, not the repositories themselves

* The clones were quarantined and there was no evident compromise of GitHub or maintainer accounts

So, it wasn’t a nothingburger, but it wasn’t really a big deal either.

The moral of the story is that while you should keep your eyes open for security problems, you shouldn’t treat every random report on the net of a new security concern as a disaster. Unfortunately, these days, with one security blowup after another, it’s understandable that we’re all a little bit nervous.

Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting-edge PC operating system, 300bps was a fast internet connection, WordStar was the state-of-the-art word processor, and we liked it.