Silent infiltration: the malicious code epidemic on GitHub
Impact of malicious code in repositories: security risks in software development
Cybercriminals have cloned over 100,000 GitHub repositories, inserting malware that steals sensitive data. They use deceptive forks and sophisticated techniques to hide malicious code.
Recent investigations conducted by cybersecurity firm Apiiro revealed an extensive compromise of repositories on GitHub. The software development hosting platform was targeted by cybercriminals who replicated and modified over 100,000 repositories with malicious code. The malicious attack, initially detected on PyPI, quickly spread by exploiting the massive cloning of repositories already in circulation, thus increasing the extent of the damage.
Deception strategies and malicious forks
The authors of this malware campaign disguise their dangerous creations as legitimate copies of authentic repositories on GitHub, using the same names. The malware is incorporated into the original code, then through an incessant repetition of forks, it continues its infectious chain. With compromised repositories in wide circulation, large numbers of package developers and users have unknowingly downloaded and activated pernicious payloads under the guise of genuine software.
Harmful effects of malware
Upon opening contaminated repositories, attackers deploy malicious code designed to extort sensitive information such as credentials, passwords, and browsing cookies. More precisely, the intrusive software implemented is a variation of BlackCap-Grabber , designed to remove sensitive data and transfer it to command and control servers operated by cybercriminals, thus adding a further set of harmful actions.
Sophisticated evasion techniques
An examination carried out by the Trend Micro group highlighted that the malware uses advanced methods to hide its malicious presence within the source code of the repositories. Note the adoption of exec smuggling , a trick for executing code in a harmlessly flashy dynamic manner by spacing the exec statement with large sequences of white space, thus evading visual inspections during code reviews.
Follow us on Threads for more pills like this03/03/2024 14:08
Marco Verro