Threat Watch

Over 35,000 Instances of Malicious Code Discovered in Cloned GitHub Repositories

On Wednesday, a mistakenly claimed that 35,000 projects on GitHub had been affected by a malware attack. After some investigation, the attack was discovered to actually be the cloning of thousands of projects with malicious code added. This malicious code specifically pulls a copy of all the Environment (ENV) variables, sends them to a remote Command and Control server, and sets up a backdoor. GitHub has since removed the malicious repositories.

ANALYST NOTES

While the official packages were not compromised, the malware-injected clones were discovered via a google search for the original repository, meaning that users may have inadvertently installed the malware on their system. Companies should include the downloading and updating of GitHub repositories as part of their Change Control Plan, verifying that the code being pulled is from the original author and signed with their GPG keys.

Companies may also find value in including Dev environments as part of their SIEM. There is extra overhead to managing alerting for a Dev environment, since development activities frequently trigger false positives, but with some tuning out of normal behavior, malicious code mistakenly downloaded and integrated can be detected this way.

https://www.bleepingcomputer.com/news/security/35-000-code-repos-not-hacked-but-clones-flood-github-to-serve-malware/