Security researcher Stephen Lacy has discovered a malware that is spreading thousands of times on code hoster Github. It is said to already exist around 35,000 times. It is smuggled in via simple pull requests.
Data is leaked
According to Lacy, the goal of the malware is to grab data from developers and users of the infected applications and direct it to servers of the attackers. The malware attempts to read and copy all environment variables of the compromised program. This way, a lot of information about the infected computers can be tapped, which can be used further down the line. Among the tapped data already in use, according to Lacy, are keys for servers and clouds.
Fake open source software
The malware reaches Github in different ways. In some cases, genuine open source projects are copied and enriched with the malware. The fake is then uploaded to Github and is difficult to distinguish from the original. The malware also frequently gets into open source projects hosted on Github via pull requests. The pull requests masquerade as harmless changes to version numbers or similar details, for example, and are often approved without further verification – with the result that the malicious code is downloaded with the program from then on.
In the latter case, the malware developers rely on the fact that the providers of the open source projects are overloaded and approve minor changes without more detailed checks. Apparently, this approach is successful in many cases. Lacy recommends that vendors use GPG signatures for their code to protect against such intrusions.
Github’s security team, meanwhile, has begun tracking down and removing malicious code from the platform. Anyone who has downloaded code from Github recently should ideally check the corresponding applications and remove them if in doubt. Numerous open-source applications are offered on Github.
