Github suddenly suffered a large-scale malicious attack, a large number of encryption keys may be leaked!

Xinzhiyuan report

Editor: David

[New Zhiyuan Guide] The whistleblower said on Twitter that he has reported to Github and reminded everyone not to install strange packages. At present, most malicious clones have been officially deleted.

Github has been maliciously attacked again? Or a massive attack involving a 35,000 repository?

The news is not official and was tweeted by Twitter user @Stephen Lacy.

According to personal information, Stephen Lacy is a software engineer, engaged in cryptography and open source, and a game developer who developed a game called "PlayGodfall".

He claims to have discovered widespread large-scale malicious attacks on Github. More than 35,000 repositories have been infected so far.

(he corrected it shortly after, 35000+ "snippets" were infected, not the repository)

Lacy said that at present, well-known repositories including crypto, golang, python, js, bash, docker, k8s are affected, including NPM scripts, Docker images and installation files.

He said that at present, these malicious commits seem harmless, and the names look like routine version updates.

From the historical change records of the repository, some commits come from the original repository owner, some show that the user does not exist, and some belong to the archived repository.

As for the attack method, the attacker will upload a variety of encrypted information in the library to his own server, including security keys, AWS access keys, encryption keys, etc.

Once uploaded, an attacker can run arbitrary code on your server.

Sounds scary, doesn't it?

In addition to stealing encrypted information, the attacker will also construct a fake repository link and submit a clone to Github in the form of a legitimate repository, thus throwing the blame on the original author of the repository.

Lacy said that these vulnerabilities and attacks were discovered when he browsed a project he found through a Google search, so the first thing to pay attention to is not to install any strange package found on the Internet.

In addition, the best way to prevent cheating is to use GPG encrypted signatures.

At present, Lacy said that he has reported his findings to Github, and there has been no official response from Github.

The latest news is that, according to BleepingComputer, Github has removed most of the repositories containing malicious content after receiving reports of malicious incidents.

According to the site, in fact, the 35,000 original repositories were not "hijacked", but were instead cloned with malicious content. Thousands of backdoors are added to copies of normal legitimate projects (forks or clones) for the purpose of pushing malware.

References:

https://twitter.com/stephenlacy/status/1554697077430505473

https://www.bleepingcomputer.com/news/security/35-000-code-repos-not-hacked-but-clones-flood-github-to-serve-malware/