Security News > 2024 > March > GitHub struggles to keep up with automated malicious forks

A malware distribution campaign that began last May with a handful of malicious software packages uploaded to the Python Package Index has spread to GitHub and expanded to reach at least 100,000 compromised repositories.

According to security firm Apiiro, the campaign to poison code involves cloning legitimate repos, infecting them with malware loaders, uploading the altered files to GitHub under the same name, then forking the poisoned repo thousands of times and promoting the compromised code in forums and on social media channels.

Developers looking for useful code may therefore find a repo that's describes as useful and at first glance appears appropriate, only to have their personal data pilfered by a hidden payload that runs malicious Python code and a binary executable.

"It then sends it back to the malicious actors' C&C server and performs a long series of additional malicious activities."

Awareness and automated scanning is all very well - but Apiiro's Giladi and David observed that GitHub missed many automated repo forks, as well as the manually uploaded ones.

"Because the whole attack chain seems to be mostly automated on a large scale, the one percent that survive still amount to thousands of malicious repos," the authors wrote, adding that if you count removed repos in the total, the campaign probably involved millions of malicious clones and forks.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/03/01/github_automated_fork_campaign/