Facepalm: GitHub serves as a colossal hub for software development, hosting nearly half a billion code projects created by hundreds of millions of developers worldwide. Given its extensive reach and the sheer volume of activity, the platform presents an opportunity for cyber-criminals, who in this instance have exploited the vast network to orchestrate a Python-based malicious campaign.
Security researchers at Apiiro have recently uncovered a malware-spreading campaign designed to exploit the capabilities of the GitHub platform. The attack, which started in May 2023 with “several” malicious packages uploaded to the Python Package Index (PyPI) official repository, was capable of impacting at least 100,000 GitHub repositories and “presumably” millions more.
The malware campaign is a demonstration of how malicious actors can easily exploit GitHub’s ability to automatically and efficiently fork code repositories, Apiiro said. The unknown cyber-criminals cloned existing repos, infecting them with malware loaders before they uploaded the compromised code back to GitHub with identical names.
GitHub provides developer-friendly APIs and tools that can be used to automatically generate accounts and repos, and the criminals exploited the feature to fork the uploaded malicious packages thousands of times. When an unsuspecting developer uses a compromised repo, Apiiro researchers explained, they help spread the malicious code, which is mostly a modified version of BlackCap-Grabber.
The malware employs seven layers of obfuscation to try to hide its payloads, which are designed to collect login credentials, browser passwords and cookies, and other confidential data. Once completed, the collection is sent to a command and control (C&C) server managed by the cyber-criminals while performing a “long series” of additional malicious activities.
GitHub confirmed that it’s aware of the campaign’s existence, and that fighting this kind of activity is easier said than done. The platform hosts over 100 million developers building across over 420 million repositories, and there are dedicated teams working to detect, analyze and remove content and accounts that violate the platform’s Acceptable Use Policies.
Manual and machine learning-based review procedures are employed to detect and fight back against “adversarial tactics,” GitHub said, but the company is seemingly a victim of its own success. The recently uncovered attack seems to be mostly automated on a large scale, and GitHub is designed to promote automation and code reuse. Even if 1 percent of the compromised repos survive, Apiiro explained, there are thousands of malicious but legitimate-looking code repositories still lurking on GitHub.