Network security company Checkmarx recently found that hundreds of repositories on GitHub by hackers injected malicious code. It is reported that in addition to public repositories, this attack also affects some private repositories, so the researchers speculate that the attack was carried out by hackers using automated scripts.
It is reported that the attack occurred from July 8 to July 11 this year, hackers invaded hundreds of GitHub repositories, and used GitHub’s open-source automation tool Dependabot to forge the commit information, in an attempt to cover up the malicious activities, so that developers think that the commit information is Dependabot, and thus ignore the relevant information.
After inquiries learned that the attack can be divided into a total of three stages, the first is to determine the developer’s “personal token”, security company researchers explained that the developer to Git operations, you must use a personal token to set up the development environment, and this token will be stored in the developer’s local area, it is easy to be obtained, due to these tokens do not require double authentication, so hackers can easily determine these tokens.
▲ image source Checkmarx
The second stage is to steal credentials. The researchers are not sure how the hackers obtained the developer credentials, but they speculate that the most likely scenario is that the victim’s computer was infected by a malicious Trojan horse, which then uploaded the first stage of the “personal tokens” to the attacker’s servers.
▲ Image courtesy of Checkmarx
The final stage is for the hackers to use the stolen tokens to inject malicious code into the repositories via GitHub authentication, and given the scale of the attack, the researchers hypothesize that the hackers used an automated process to deploy it.
Security firm Checkmarx reminds developers to be careful about where their code comes from, even on trusted platforms like GitHub. The hackers were able to pull off the attack because many developers don’t double-check the actual changes when they see a Dependabot message.
And because token access logs are only available to corporate accounts, non-corporate users have no way of knowing if their GitHub token was obtained by hackers.
The researchers suggest that users consider adopting new versions of GitHub tokens (fine-grained personal access tokens) and configuring token permissions to minimize the damage hackers can do if a token is compromised.
▲ image source Checkmarx
▲ image source GitHub
GitHub
- Surprise: When Dependabot Contributes Malicious Code.
- Introducing fine-grained personal access tokens for GitHub.