Teacher
Professional
- Messages
- 2,669
- Reaction score
- 818
- Points
- 113
Attackers automated the process of creating and promoting fake libraries.
Researchers from Apiiro conducted an investigation into a large-scale campaign of attacks on the GitHub platform using malicious repositories. Experts have identified more than 100 thousand fake repositories that mimic popular open-source projects in order to distribute malware. The number of such repositories continues to grow steadily.
As experts explained, hackers actively use tactics of substitution of names of real projects. They create a repository that is identical to the popular project on GitHub, with the most similar name. Attackers expect that the user will make a typo while entering the name and download the infected code. This method is often used when working with package managers, where the command line leaves fewer opportunities for timely error recognition.
To implement the attack, attackers clone the target repository, inject it with malicious code, and re-publish it under the original name. Then the stage of promoting such repositories begins through various channels on the Internet, including forums and social networks, where they are presented as real ones. Automation of the process allows you to scale the distribution of infected projects.
Malicious code on the victim's computer usually starts downloading third-party software in the background. It is noted that most often attackers use BlackCap Grabber-a program that steals credentials, cookies and other important information, sending it to the attackers servers.
GitHub takes measures against so-called fork bombs by automatically tracking and blocking suspicious repositories with an excessive number of copies. Despite the automated removal of millions of suspicious forks, approximately 1% of infected copies still manage to remain on the platform.
Users are advised to be careful and check the repositories they work with. This is especially important for companies to prevent malicious code from entering their systems and software supply chain.
Researchers from Apiiro conducted an investigation into a large-scale campaign of attacks on the GitHub platform using malicious repositories. Experts have identified more than 100 thousand fake repositories that mimic popular open-source projects in order to distribute malware. The number of such repositories continues to grow steadily.
As experts explained, hackers actively use tactics of substitution of names of real projects. They create a repository that is identical to the popular project on GitHub, with the most similar name. Attackers expect that the user will make a typo while entering the name and download the infected code. This method is often used when working with package managers, where the command line leaves fewer opportunities for timely error recognition.
To implement the attack, attackers clone the target repository, inject it with malicious code, and re-publish it under the original name. Then the stage of promoting such repositories begins through various channels on the Internet, including forums and social networks, where they are presented as real ones. Automation of the process allows you to scale the distribution of infected projects.
Malicious code on the victim's computer usually starts downloading third-party software in the background. It is noted that most often attackers use BlackCap Grabber-a program that steals credentials, cookies and other important information, sending it to the attackers servers.
GitHub takes measures against so-called fork bombs by automatically tracking and blocking suspicious repositories with an excessive number of copies. Despite the automated removal of millions of suspicious forks, approximately 1% of infected copies still manage to remain on the platform.
Users are advised to be careful and check the repositories they work with. This is especially important for companies to prevent malicious code from entering their systems and software supply chain.
