HomeWinBuzzer NewsGitHub Battles Surge in Malicious Repository Forks

GitHub Battles Surge in Malicious Repository Forks

Malware targeting software supply chain compromises 100,000 GitHub repositories. Attackers inject malicious code disguised as legitimate projects


The security community has uncovered that a malware distribution effort, initiated last May with malicious software packages on the Python Package Index (PyPI), has now extended its reach to GitHub. The campaign has successfully compromised over 100,000 repositories, marking a significant surge in attempts to inject malicious code into the software supply chain. Security firm Apiiro, has reported this escalating threat, highlighting the tactics involved in cloning and infecting legitimate repositories before employing automated processes to create thousands of dangerous forks.

Tactics Unveiled

The attackers' methods involve taking legitimate repositories, infecting them with malware loaders— a variation of BlackCap-Grabber—and then re-uploading these altered repositories under identical names on . These poisoned repositories are then forked numerous times and promoted across forums and social , deceiving developers into downloading and using seemingly benign code that harbors harmful payloads. These payloads are programmed to steal personal data, login credentials from various applications, browser cookies, and . Matan Giladi and Gil David from Apiiro named these activities in detail, emphasizing the collection of confidential data sent back to the attackers' command-and-control servers, following a series of additional malicious actions.

GitHub's Response and Challenges Ahead

Despite GitHub's affirmation of commitment to maintaining a secure platform for its 100 million developers and over 420 million repositories, the scale and of the attack have posed significant challenges. GitHub employs teams dedicated to the detection, analysis, and removal of content violating Acceptable Use Policies, leveraging both manual reviews and machine learning technologies. Yet, the sheer scale of automated and manual uploads of malicious repositories has proven difficult to manage completely. With some attacks managing to evade detection mechanisms, the scale of the problem hints at a potentially larger number of malicious repositories than currently known.

Furthermore, the effectiveness of the malware campaign reveals vulnerabilities within the software supply chain, magnified by GitHub's features that support automatic account and repository generation, alongside its accessible APIs and rate limits. In the wake of these findings, there's a renewed call for enhanced software supply chain security measures, underscoring the Biden administration's pushes through frameworks and standards aimed at bolstering defenses against such threats.

The situation underscores the perpetual arms race between measures and the evolving tactics of attackers. With the malware distribution campaign still active, both developers and platform providers like GitHub must remain vigilant and continuously adapt to counter these sophisticated threats effectively.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News