Aug 3 – Yesterday evening, an ominous Twitter post indicated that a widespread malware attack on GitHub may have been in-progress. However, upon further investigation, researchers found something a bit different from the expected.

It appears that thousands of GitHub repositories were copied, and that the clones were altered to include malware. Original GitHub projects (all 35,000 of them) remained largely unaffected.

What happened

Although cloning open source repositories represents a relatively common practice among developers, in this case, cyber criminals created copies of authentic projects in order to taint the clones with malicious code.

GitHub response

After receiving information about the malicious repositories, GitHub successfully purged the majority of them. In short, contrary to engineers’ initial thoughts on the matter, GitHub has not been affected or compromised in any way.

Rather, the thousands of backdoored projects are clones of legitimate projects, purportedly created by actors to push malware. Official projects such as crypto, golang, python, js, bash, docker, and K8s remain stable.

Concern initially stemmed from the fact that malicious code in GitHub could make its way into all types of software libraries, code bases or code-based projects, affecting organizations worldwide.

Finding implications

Despite the false alarm, the finding is still considered important. The real impact turned out to be 35,000 code hits, but no infected repositories.

The technical details can serve as a teaching tool for security engineers. Get technical details here.

See CyberTalk.org’s top tips for building an effective code review checklist here. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.