Security researchers from Apiiro have uncovered a worrying trend: over 100,000 GitHub repositories have been compromised in a “repo confusion” attack.
This attack tactic leverages the vast size and open nature of the GitHub platform to target unsuspecting developers.
How Does it Work?
- Cloning Popular Repos: Attackers target popular repositories like TwitterFollowBot, WhatsappBOT, etc., and create copies of them.
- Injecting Malware: These copies are infected with malware designed to steal login credentials, browser data, and other sensitive information.
- Uploading to GitHub: The infected repositories are uploaded back to GitHub with identical names, hoping unsuspecting developers will choose them by mistake.
- Spreading the Deception: Attackers use automation to create thousands of forks (copies) of these malicious repositories and promote them through online forums and platforms frequented by developers
According to the Report, Upon utilization of the tainted repos, unsuspecting developers inadvertently unpack a hidden payload consisting of seven layers of obfuscation.
This process involves extracting malicious Python code and a binary executable, specifically a modified version of BlackCap-Grabber.
The malicious code functions to gather login credentials from diverse applications, browser passwords, cookies, and other confidential data, subsequently transmitting it to the attackers’ command-and-control server.
This sets off a cascade of additional malicious activities.
The Scope of the Attack
Apiiro’s research suggests that this attack campaign began in mid-2023 and has grown significantly in recent months.
Over 100,000 repositories are confirmed to be infected, and the true number could potentially reach millions.
Timeline of the Attack
- May 2023: Malicious packages containing parts of the current payload appear on PyPI (Python Package Index).
- July – August 2023: Attackers shift to directly uploading infected repositories to GitHub after PyPI removes the malicious packages.
- November 2023 – Present: Over 100,000 infected repositories detected, with the number constantly growing
Apiiro recommends using their advanced code analysis system to detect malicious attempts. They say this helps identify and mitigate potential threats, enhancing the security of codes.