GitHub Repositories Weren’t Hacked
The good news is that tens of thousands of GitHub repositories were not hacked. I repeat, “Not hacked.” But many repositories have been cloned and then laced with poisonous malware content.
- Currently over 35k repositories are infected
- So far found in projects including: crypto, golang, python, js, bash, docker, k8s
- It is added to npm scripts, docker images and install docs”
Not as Bad as It Looked
After a closer look, however, it turned out it wasn’t nearly as bad as Lacy said. He himself admitted, “Correction, 35k+ ‘code hits’ on github, not infected repositories.”
And, of those, more than 13,000 malicious files were from a single repository. ‘Redhat-operator-ecosystem.’ This repository has since been removed.
Lacy also worked out that the original files had not been compromised or infected. Instead, they were cloned with names that sounded legitimate. This is an all-too-common attack vector. Always make sure that you use the exact, correct repos for your projects. Remember, you’re only one minor typo from a compromised project.
As for this particular case, the malware-infected files both exfiltrated a user’s environment variables and contained a one-line backdoor. The former is bad enough–with it, an attacker could gain access to your API keys, credentials, and crypto keys–but with the latter, an attacker can run arbitrary code on your systems. Just what you always needed, right?
More Smoke Than Fire
Still, this was a case where there was more smoke than fire. As GitHub Security put it, after checking out the report:
* Malicious code was posted to cloned repositories, not the repositories themselves
* The clones were quarantined and there was no evident compromise of GitHub or maintainer accounts
So, it wasn’t a nothingburger, but it wasn’t really a big deal either.
The moral of the story is that while you should keep your eyes open for security problems, you shouldn’t treat every random report on the net of a new security concern as a disaster. Unfortunately, these days, with one security blowup after another, it’s understandable that we’re all a little bit nervous.