"How Attackers Could Dupe Developers into Downloading Malicious Code From GitHub"
It is simple to counterfeit the metadata that developers look at when determining whether to use an open-source project on GitHub, giving attackers a chance to deceive users into downloading malicious code. The researchers at Checkmarx caution in a new paper that developers should be diligent when checking the identities of persons committing code to the repository and not take the information at face value. Developers seeking an open-source project on GitHub prefer those that are active, maintained, and associated with developers who have an established track record on the platform. The number of commits or changes that a contributor of open-source code to GitHub may have made to a project over time is one of the data points that developers consider. GitHub gives each change a unique ID that describes the specific change that was made, shows who made the change, and provides a timestamp. In general, a project with a large number of commits is regarded as evidence that it is actively maintained. According to Checkmarx, an attacker can easily fake or forge all of these data points to give the appearance of credibility to their code and trick unsuspecting developers into downloading malicious code. For example, the timestamp associated with each commit can be manipulated to make it appear that a change occurred at a time when it did not. All a threat actor needs to do is change two variables on their local machine. A malicious actor who creates a new GitHub account can falsify numerous commits with timestamps spanning years to make it appear they have been active on the platform for a long time. Checkmarx researchers said the 'activity graph' displayed on the user's profile page is a prominent measure of a user's activity on GitHub. This graph is essentially a heatmap that depicts the user's activity over time. As a result, if malicious actors can create commits with any timestamp they want, they can populate this graph with fictitious activities. This article continues to discuss the different ways in which attackers can trick developers into downloading malicious code from GitHub.