Silent infiltration: the malicious code epidemic on GitHub

Recent investigations conducted by cybersecurity firm Apiiro revealed an extensive compromise of repositories on GitHub. The software development hosting platform was targeted by cybercriminals who replicated and modified over 100,000 repositories with malicious code. The malicious attack, initially detected on PyPI, quickly spread by exploiting the massive cloning of repositories already in circulation, thus increasing the extent of the damage.

Deception strategies and malicious forks

The authors of this malware campaign disguise their dangerous creations as legitimate copies of authentic repositories on GitHub, using the same names. The malware is incorporated into the original code, then through an incessant repetition of forks, it continues its infectious chain. With compromised repositories in wide circulation, large numbers of package developers and users have unknowingly downloaded and activated pernicious payloads under the guise of genuine software.

Harmful effects of malware

Upon opening contaminated repositories, attackers deploy malicious code designed to extort sensitive information such as credentials, passwords, and browsing cookies. More precisely, the intrusive software implemented is a variation of BlackCap-Grabber , designed to remove sensitive data and transfer it to command and control servers operated by cybercriminals, thus adding a further set of harmful actions.

Sophisticated evasion techniques

An examination carried out by the Trend Micro group highlighted that the malware uses advanced methods to hide its malicious presence within the source code of the repositories. Note the adoption of exec smuggling , a trick for executing code in a harmlessly flashy dynamic manner by spacing the exec statement with large sequences of white space, thus evading visual inspections during code reviews.