GitHub, a code repository with more than 83 million developers, has been targeted in a supply chain attack.
The attack was unearthed earlier this week by software developer Stephen Lacy and involved a hacker cloning and adding malicious code to more than 35,000 GitHub repositories while keeping intact the code’s original source code. Nearly 40 percent (13,000) of the repositories compromised originated from a single organization, called “redhat-operator-ecosystem” on the site, a spoof of the RedHat openshift ecosystem.
The cloned projects attempted to lure users to click on them by spoofing genuine user accounts, using names identical to the original project and legitimate-sounding firm names.
The malicious code allowed the repositories to exfiltrate the environment variables containing sensitive data like Amazon AWS credentials, API keys, crypto keys, and a one-line backdoor. The malware also allowed remote hackers to execute arbitrary code on those systems that install/run the clones.
The weaponized code could lead to developers accidentally downloading cloned code repositories that contain malicious code. If used in their applications, this would then lead them to expose their users to code that includes malware.
Fortunately, Lacy thwarted the attack by removing the affected projects and organizations including Golang, Bash, Python, Docker, JavaScript, and Kubernetes. GitHub confirmed that the original repositories weren’t compromised, and the clones have been quarantined and cleaned.
According to security experts, cloning open-source code is common among developers. But, in this case, the hackers injected malicious code/links into genuine GitHub projects to target innocent users.
The methodology applied by hackers is identical to the approach unearthed by ReversingLabs last month, where typo-squatting packages were being picked up by GitHub-owned NPM, and then exfiltrated data from forms designed with the malicious packages.
Additionally, the researchers identified more than two dozen infected packages, all cloning popular NPM packages, stretching back to December 2021.
Thwarting supply chain attacks
GitHub has issued an advisory for guarding the code supply chain on its website.
• For accounts employed for personal use as well as those used by organizations and enterprises, set up two-factor authentication.
• Connect to GitHub using secure socket shell (SSH) keys.
• For enterprises, centralize user authentication.
• Design a vulnerability management program for dependencies which will allow them to have full visibility over any vulnerabilities the code they are using has.
• Avoid using passwords or API keys within the source code.
• Block vulnerable coding patterns by reviewing and examining all pull requests before merging.
