Stories
Slash Boxes
Comments

SoylentNews is people

35,000 Code Repos Not Hacked—But Clones Flood Github To Serve Malware

posted by janrinok on Thursday August 04, @01:51PM   Printer-friendly
from the attack-of-the-clones dept.

Arthur T Knackerbracket has processed the following story:

Thousands of GitHub repositories were forked (copied) with their clones altered to include malware, a software engineer discovered today.

While cloning open source repositories is a common development practice and even encouraged among developers, this case involves threat actors creating copies of legitimate projects but tainting these with malicious code to target unsuspecting developers with their malicious clones.

GitHub has purged most of the malicious repositories after receiving the engineer's report.

Today, software developer Stephen Lacy left everyone baffled when he claimed having discovered a "widespread malware attack" on GitHub affecting some 35,000 software repositories.

Contrary to what the original tweet seems to suggest, however, "35,000 projects" on GitHub have not been affected or compromised in any manner.

Rather, the thousands of backdoored projects are copies (forks or clones) of legitimate projects purportedly made by threat actors to push malware.

Official projects like crypto, golang, python, js, bash, docker, k8s, remain unaffected. But, that is not to say, the finding is unimportant, as explained in the following sections.

While reviewing an open source project Lacy had "found off a google search," the engineer noticed the following URL in the code that he shared on Twitter:

hxxp://ovz1.j19544519.pr46m.vps.myjino[.]ru

BleepingComputer, like many, observed that when searching GitHub for this URL, there were 35,000+ search results showing files containing the malicious URL. Therefore, the figure represents the number of suspicious files rather than infected repositories:

We further discovered, out of the 35,788 code results, more than 13,000 search results were from a single repository called 'redhat-operator-ecosystem.'

[...] As a best practice, remember to consume software from the official project repos and watch out for potential typosquats or repository forks/clones that may appear identical to the original project but hide malware.

This can become more difficult to spot as cloned repositories may continue to retain code commits with usernames and email addresses of the original authors, giving off a misleading impression that even newer commits were made by the original project authors. Open source code commits signed with GPG keys of authentic project authors are one way of verifying the authenticity of code.

Original Submission

 
This discussion was created by janrinok (52) for logged-in users only. Log in and try again!
35,000 Code Repos Not Hacked—But Clones Flood Github To Serve Malware | Log In/Create an Account | Top | 12 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Insightful) by vux984 on Thursday August 04, @05:48PM (3 children)

    by vux984 (5045) on Thursday August 04, @05:48PM (#1264941)

    "The worst part of contemporary open source philosophy is the continuous update paradigm."

    Just like democracy, its terrible, its just less terrible than everything else we've tried.
    Because the alternative of leaving known security vulnerabilities in the production environment forever is definitely not a better solution.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=3, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5  

  • (Score: 1, Informative) by Anonymous Coward on Thursday August 04, @08:38PM

    by Anonymous Coward on Thursday August 04, @08:38PM (#1264966)

    FYI: the fortune on the bottom of the page right now:

    Democracy is a form of government that substitutes election by the incompetent many for appointment by the corrupt few. -- G. B. Shaw

  • (Score: 2) by darkfeline on Friday August 05, @03:35AM (1 child)

    by darkfeline (1030) on Friday August 05, @03:35AM (#1265033) Homepage

    > its just less terrible than everything else we've tried

    It's not. Every dependency manager that does "continuous update" provides lock files to pin specific versions of all dependencies.

    Everyone agrees that continuous update sucks so much that no one uses it. Instead, they update those pinned versions at a regular cadence without sufficient vetting of those updates.

    Which is a subtly different problem. "Continuous update" means you simply don't know when you update your dependencies. "Lock and update" means that you do know when you update your dependencies, you just don't care if you blow your eye out.

    --
    Join the SDF Public Access UNIX System today!

    • (Score: 2) by vux984 on Friday August 12, @06:23PM

      by vux984 (5045) on Friday August 12, @06:23PM (#1266341)

      "Everyone agrees that continuous update sucks so much that no one uses it."

      Heh, not 'no one'; there's been a quite few puplic instances of it happening to projects using CI pipelines that just grabbed latest version without even a conscious decision to update the dependencies.
      And the way most of the world runs their systems; Windows in particular is forced & automatic for most people (although you can usually roll back), but even say, ios updates -- sure you have to click ok, but there's no way for the average person to make any meaningful evalation ahead of time. And if you just click ok when prompted, that's pretty much 'continuous updates' too, and there's not even the option to roll back in a lot of cases.

      But yes, I fully agree, well run/responsibly run projects, use lock files, or local caches or something along that line to limit the cadence of dependency updates, and limit them to happening 'deliberately' even if testing or vetting isn't really inadequate.