A recent large-scale attempt to manipulate GitHub code repositories reinforces the importance of paying attention to exactly what you’re downloading. Malicious code tied to a single actor was found in about 35,000 forks and clones on the platform, with most created in the last few weeks.
The threat actor has since stepped up on Twitter to identify themselves, claiming it was a demonstration to take advantage of a bug bounty from GitHub. The activity is far from consistent with typical bug bounty disclosures, however, and the attacker may have been inserting malicious code for years at a much smaller scale before ramping up recently.
Was mass malicious code forking on GitHub done for a bug bounty?
The attacker claims that this was all a demonstration of a typosquatting vulnerability, or making use of seemingly identical clones of legitimate code repositories as an attack vector. However, GitHub users and security researchers quickly noted that the malicious code was designed to actively steal credentials and open a backdoor into target systems.
Perhaps needless to say, bug bounties don’t generally involve actually hacking the users of a platform and stealing personal information from them or placing malicious code on their systems. Responsible disclosures are also generally done in private to avoid letting out dangerous secrets and sparking copycats. The hacker’s claim on Twitter of ethically contacting the maintainers of the 35,000 code repositories that they maliciously cloned did not inspire any more confidence in their story.
The hacker was outed by including the same URL used to deliver malicious code in all of the different projects they forked, and while the majority of these were done in the last few weeks there are reports of the URL showing up in cloned code repositories as far back as seven years ago. GitHub has traced all of these instances and removed them from the platform at this point, but there is little in the way of anyone who wants to repeat the same process on their own.
Open access to GitHub code repositories means vigilance is always required
The original GitHub code repositories involved in this attack were not breached or hacked in any way, but anyone is free to make clones or forks of this sort that could contain malicious code.
In this case, the attacker set up the clones to install a backdoor in victim systems and steal elements used for online authentication, such as API keys and crypto keys. The attacker not only could have made off with the money of victims and taken over their accounts, but also deployed further malware on their devices to maintain an ongoing presence.
There are a number of ways to help insulate code repositories against this sort of attack, such as tightening up the verification status and signing process for commits. But ultimately, the only real defense is user education: the end user must be aware of the possibility of bad forks and on the lookout for them as they browse the platform.