GitHub has long been a beacon for developers, enabling them to store, manage, and share codes with others worldwide. It allows coders to share their work, allowing for some of the most successful open-source codes. But now, thanks to an automated malicious repo confusion campaign, the platform is being flooded with destructive code that unsuspecting patrons are downloading.
The security firm Apiiro posted its findings of the attacks on its page. There, they stated that over 100,000 GitHub repositories had been attacked, which is merely the lowest estimate. The number is likely in the millions. The attacks work by cloning existing repos, like TwitterFollowBot, WhatsappBOT, discord-boost-tool, Twitch-Follow-Bot, and more, infecting them with malware loaders, and then uploading them back to GitHub under identical names.
Millions of repos on GitHub are under siege from malicious repos
From there, they are automatically forked thousands of times. The malicious repos are promoted discreetly online through forums and the messaging app Discord. Through these malicious repositories, the hidden payload will unpack layers and obfuscation. Afterward, the code (mostly a modded version of BlackCap-Grabber) can collect sensitive information from the infected system.
The campaign has been going on for months. However, it started much smaller in May 2023, with only a few suspicious packages uploaded to PyPI containing early versions of the current payload. Since November 2023, hundreds of thousands of these malicious repos have been uploaded to the server, infecting potentially millions of unsuspecting patrons with the payload.
GitHub has yet to post a public response to the attack. However, Apiiro reported being notified of these attacks, and many of the malicious repos have been removed from the platform. However, they’re still working through it, and if you encounter anything suspicious, you’re encouraged to report it.
While there’s no way to remain entirely protected from malware when using open-source resources like GitHub, the larger the platform is, the better the security. However, the sheer number of users on the platform makes it a prime target for malware attacks. GitHub has stayed on top of the attacks to protect its users as best it can, but there’s no guarantee. It’s in your best interest to stay safe while using open-source software and code and checking the code through Python if anything seems suspicious.
