IOTW: Malicious actors gain access to GitHub source code

GitHub has reported that a malicious actor gained access to a set of repositories used in the planning and development of GitHub Desktop and text and source code editor Atom.

The source code repository said that it became aware of the data breach after “unauthorized access” was detected on its servers on December 7, 2022. A set of encrypted code-signing certificates were stolen during a breach. GitHub reported that the certificates were password-protected and there was “no evidence of malicious use”.

The hacker gained access to the source-code repositories on December 6, 2022, after using a compromised Personal Access Token (PAT) associated with a machine account to clone repositories from its Atom, desktop and “other deprecated GitHub-owned organizations”.

As a preventative measure, GitHub has said that it will “revoke the exposed certificates used for the GitHub Desktop and Atom applications” meaning users must update their applications before February 2, 2023, to continue using them.

CircleCI phishing attack against GitHub

On September 16, 2022, GitHub reported a phishing attack that involved a malicious actor posing as code integration and delivery platform CircleCI in order to harvest login credentials and authentication codes from employees and gain access to various user accounts.

The phishing site used by the hacker relayed time-based-one-time-passwords (TOTP) two-factor-authentication codes to the hacker in real time, allowing them to gain access to accounts protected by TOTP two-factor authentication. Accounts protected by hardware security keys were not vulnerable to this attack.

Throughout the attack, the malicious actor was able to gain access to and download multiple private code repositories and use techniques to preserve their access to the account even in the event that the compromised user or organization changed their password.

GitHub supply-chain attack affects 83 million developers

On August 3, 2022, a cyber attack against GitHub was discovered by software developer Stephen Lacy. During the attack, a bad actor cloned and added malicious code to more than 35,000 GitHub repositories while keeping the code’s original source code.  

Almost 40 percent (13,000) of the repositories affected originated from a single organization, referred to as “redhat-operator-ecosystem” on the site, a spoof of RedHat OpenShift Ecosystem.

I am uncovering what seems to be a massive widespread malware attack on @github.

- Currently over 35k repositories are infected
- So far found in projects including: crypto, golang, python, js, bash, docker, k8s
- It is added to npm scripts, docker images and install docs pic.twitter.com/rq3CBDw3r9

— Stephen Lacy (@stephenlacy) August 3, 2022

The cloned projects attempted to trick users into clicking on them by spoofing genuine user accounts, using names very similar to the original projects they were clones of and using legitimate-sounding organization names. 

The malicious code allowed the repositories to collect information on the environment they were executed in, for example information on the device that executed it and its user. It also had the potential to collect other sensitive data.

The code could also download additional malware from a third-party site allowing it to further exploit any application or environment that was using the malicious cloned code originally introduced to the GitHub repositories.

The weaponized code could lead to developers accidentally downloading cloned code repositories which contain the malicious code. If used in their applications, this would then lead them to exposing their users to code which includes malware. With an 83-million-strong developer audience, the ramifications could prove devastating.

The attack was reported to GitHub by Lacy, who claimed to have “cleaned up” the attack and stopped it spreading further by removing the affected projects and organizations.