According to research by Apiiro, there are now more than 100 thousand infected repositories on GitHub that mimic real projects.
With their help, hackers obtain credentials from the victim’s computer. The number of such repositories continues to grow.
Experts from Apiiro drew attention to frequent hacker attacks involving name substitution.
For it, attackers create a repository identical to a popular project on GitHub, with the most similar name.
Hackers hope that the user will make a typo when entering the name and download the infected code to their machine.
This type of attack is often used in package managers, since interaction with them usually occurs through the command line.
In it, the user is less likely to notice his mistake in a timely manner.
Or, when searching on GitHub, it will select the hacker account instead of the original one.
To carry them out, attackers first clone a popular repository and supply it with third-party downloaders and malicious code. After this, the repository under the original name is published on the platform. Next, hackers begin to promote it on specialized forums and social networks under the guise of being original. The entire cloning and republishing process is automated, allowing many dangerous repositories to be posted on the platform every day.
Malicious code on the victim’s computer usually starts downloading third-party software in the background. The study notes that attackers most often use BlackCap Grabber. The utility steals credentials, cookies and other confidential information, sending it to attacker servers.
GitHub has built-in forkbomb protection that automatically makes sure that repositories don’t have too many copies recently. If the system notices that one of the repositories begins to behave this way, then suspicious forks are blocked. Researchers note that the system deletes millions of such repositories, and it takes several hours to identify them. But about 1% of infected forks still remain on the platform.
It is noted that users need to check the repositories they work with. Otherwise, this may lead to leakage of confidential data. Companies should take particular care and caution to avoid dragging malicious code into their own software supply chain.
