GitHub under attack — millions of malicious cloud repositories bombard website

The loader, hidden behind seven layers of obfuscation, drops a modified version of the open source BlackCap-Grabber. This infostealer grabs authentication cookies and login credentials from a wide array of apps, and sends them to a server under the attackers’ control. BlackCap-Grabber also performs “a long series of additional malicious activities,” the researchers added.

Hundreds of thousands of repos

Once the loader is set up and in place, the attackers will upload it back to GitHub with an identical name, in an attempt to get unsuspecting developers to download the wrong one. Then, they would automatically fork the repository thousands of times, resulting in hundreds of thousands of malicious repositories sitting on the platform. The attack impacted more than 100,000 GitHub repositories, the researchers said, speculating that the actual number is in the millions. 

Finally, the attackers would promote the malicious packages on the web, in different forums, discord channels, and similar, to get as many people to download them.

To make matters even worse, some developers started forking the malicious forks themselves, unknowingly further propagating the campaign.

GitHub has a way to tackle the problem, it was said. Using artificial intelligence, it manages to stop the vast majority of cloned packages before ever reaching the platform. However, 1% survive, amounting to “thousands of malicious repos” it was said.

Via Ars Technica

More from TechRadar Pro

• Thousands of Go module repositories on GitHub are vulnerable to attack
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now