"35K Malicious Code Insertions in GitHub: Attack or Bug-Bounty Effort?"
In a typosquatting effort to impersonate legitimate projects, a hacker using the handle "Pl0xP" cloned a large number of GitHub repositories and slightly changed the cloned repository names, potentially infecting any software that imported the code. According to software engineer Stephen Lacy, the widespread cloning resulted in more than 35,000 insertions of a malicious URL into various code repositories, though the exact number of affected software projects is likely much smaller. The attack, a variant of dependency confusion, could have caused issues for developers who used the fake GitHub repositories without adequate verification of the software source. According to Lacy, when malicious code is imported, it executes code on the system. The entire ENV of the script, application, laptop (electron apps) will be sent to the attacker's server in this attack. ENVs are environment variables used to store data that developers want to reference in their workflows. Security keys, AWS access keys, and crypto keys are examples of ENVs. When the software engineer audited a software library he was considering incorporating into his own project, he discovered the malicious functionality. GitHub appears to have cleaned up the malicious code commits, as a search for the embedded bad URL yielded no results as of the afternoon of August 3. However, this is not the first time that open-source projects have faced an attack. Attacks on the software supply chain increased by 650 percent in 2021, primarily due to dependency-confusion attacks, in which the attacker uses an almost identically named version of an open-source code block in the hopes of developers mistyping the name of a desired library or component or failing to notice the slight difference in nomenclature. This article continues to discuss the 35K malicious code insertions in GitHub, whether it is an attack or legitimate research, and the rise in attacks against the software supply chain.
Dark Reading reports "35K Malicious Code Insertions in GitHub: Attack or Bug-Bounty Effort?"