Thousands of GitHub repositories have been copied and clones include malware how could you check a software engineer named Stephen Lacy. He calculates that there are 35,000 cloned repositories.
While cloning open source repositories is a common development practice, in this case it’s about threat actors creating copies of legitimate projectsbut they contaminate them with malicious code to attack unsuspecting developers with these clones.
GitHub has said that it has already removed most of the malicious repositories after receiving the engineer’s report, although there is no concrete number.
This was the discovery
The thousands of affected projects are copies or clones of legitimate projects that have allegedly been created by threat actors to introduce malware. This means that official projects such as crypto, golang, python, js, bash, docker, k8s, have not been affected, but a developer can come across a copy without knowing what it is.
The engineer who raised the alarm was reviewing an open source project that Lacy had “found on a Google search” and saw the following URL in the code she shared on Twitter: “hxxp://ovz1.j19544519.pr46m .vps.myjino[.]ru”
I am uncovering what seems to be a massive widespread malware attack on @github.
– Currently over 35k repositories are infected
– So far found in projects including: crypto, golang, python, js, bash, docker, k8s
– It is added to npm scripts, docker images and install docs pic.twitter.com/rq3CBDw3r9
— Stephen Lacy (@stephenlacy) August 3, 2022
Bleeping Computer found that of the 35,788 code results from these clones, more than 13,000 search results came from a single repository called ‘redhat-operator-ecosystem’. Now it no longer appears.
Developer James Tucker pointed out that the cloned repositories containing the malicious URL contained a one-line backdoor. These threats can give threat actors vital secrets such as your API keys, tokens, Amazon AWS credentials, and cryptographic keysin your case.
The vast majority of repositories forked were altered with the malicious code sometime in the last month. Experts advise developers using this platform that it is optimal to consume software from the project’s official repositories and be on the lookout for possible typosquats or repository forks/clones that may look identical to the original project but hide malware.
The open source commits signed with GPG keys from the authentic authors of the project they are a way to verify the authenticity of the code.