Millions of GitHub Repos found infected With Malicious Code

Security researchers from Apiiro have uncovered a worrying trend: over 100,000 GitHub repositories have been compromised in a “repo confusion” attack. 

This attack tactic leverages the vast size and open nature of the GitHub platform to target unsuspecting developers.

How Does it Work?

  1. Cloning Popular Repos: Attackers target popular repositories like TwitterFollowBot, WhatsappBOT, etc., and create copies of them.
  2. Injecting Malware: These copies are infected with malware designed to steal login credentials, browser data, and other sensitive information.
  3. Uploading to GitHub: The infected repositories are uploaded back to GitHub with identical names, hoping unsuspecting developers will choose them by mistake.
  4. Spreading the Deception: Attackers use automation to create thousands of forks (copies) of these malicious repositories and promote them through online forums and platforms frequented by developers

According to the Report, Upon utilization of the tainted repos, unsuspecting developers inadvertently unpack a hidden payload consisting of seven layers of obfuscation. 

This process involves extracting malicious Python code and a binary executable, specifically a modified version of BlackCap-Grabber.

The malicious code functions to gather login credentials from diverse applications, browser passwords, cookies, and other confidential data, subsequently transmitting it to the attackers’ command-and-control server. 

This sets off a cascade of additional malicious activities.

The Scope of the Attack

Apiiro’s research suggests that this attack campaign began in mid-2023 and has grown significantly in recent months. 

Over 100,000 repositories are confirmed to be infected, and the true number could potentially reach millions.

Timeline of the Attack

  • May 2023: Malicious packages containing parts of the current payload appear on PyPI (Python Package Index).
  • July – August 2023: Attackers shift to directly uploading infected repositories to GitHub after PyPI removes the malicious packages.
  • November 2023 – Present: Over 100,000 infected repositories detected, with the number constantly growing

Apiiro recommends using their   advanced code analysis system to detect malicious attempts. They say this helps identify and mitigate potential threats, enhancing the security of codes.

Leave A Comment

Receive the latest news in your email
Table of content
Related articles