GitHub
has
reported
that
a
malicious
actor
gained
access
to
a
set
of
repositories
used
in
the
planning
and
development
of
GitHub
Desktop
and
text
and
source
code
editor
Atom.
The
source
code
repository
said
that
it
became
aware
of
the
data
breach
after
“unauthorized
access”
was
detected
on
its
servers
on
December
7,
2022.
A
set
of
encrypted
code-signing
certificates
were
stolen
during
a
breach.
GitHub
reported
that
the
certificates
were
password-protected
and
there
was
“no
evidence
of
malicious
use”.
The
hacker
gained
access
to
the
source-code
repositories
on
December
6,
2022,
after
using
a
compromised
Personal
Access
Token
(PAT)
associated
with
a
machine
account
to
clone
repositories
from
its
Atom,
desktop
and
“other
deprecated
GitHub-owned
organizations”.
As
a
preventative
measure,
GitHub
has
said
that
it
will
“revoke
the
exposed
certificates
used
for
the
GitHub
Desktop
and
Atom
applications”
meaning
users
must
update
their
applications
before
February
2,
2023,
to
continue
using
them.
CircleCI
phishing
attack
against
GitHub
On
September
16,
2022,
GitHub
reported
a
phishing
attack
that
involved
a
malicious
actor
posing
as
code
integration
and
delivery
platform
CircleCI
in
order
to
harvest
login
credentials
and
authentication
codes
from
employees
and
gain
access
to
various
user
accounts.
The
phishing
site
used
by
the
hacker
relayed
time-based-one-time-passwords
(TOTP)
two-factor-authentication
codes
to
the
hacker
in
real
time,
allowing
them
to
gain
access
to
accounts
protected
by
TOTP
two-factor
authentication.
Accounts
protected
by
hardware
security
keys
were
not
vulnerable
to
this
attack.
Throughout
the
attack,
the
malicious
actor
was
able
to
gain
access
to
and
download
multiple
private
code
repositories
and
use
techniques
to
preserve
their
access
to
the
account
even
in
the
event
that
the
compromised
user
or
organization
changed
their
password.
GitHub
supply-chain
attack
affects
83
million
developers
On
August
3,
2022,
a
cyber
attack
against
GitHub
was
discovered
by
software
developer
Stephen
Lacy.
During
the
attack,
a
bad
actor
cloned
and
added
malicious
code
to
more
than
35,000
GitHub
repositories
while
keeping
the
code’s
original
source
code.
Almost
40
percent
(13,000)
of
the
repositories
affected
originated
from
a
single
organization,
referred
to
as
“redhat-operator-ecosystem”
on
the
site,
a
spoof
of
RedHat
OpenShift
Ecosystem.
I
am
uncovering
what
seems
to
be
a
massive
widespread
malware
attack
on
@github.–
Currently
over
35k
repositories
are
infected
–
So
far
found
in
projects
including:
crypto,
golang,
python,
js,
bash,
docker,
k8s
–
It
is
added
to
npm
scripts,
docker
images
and
install
docs
pic.twitter.com/rq3CBDw3r9—
Stephen
Lacy
(@stephenlacy)
August
3,
2022
The
cloned
projects
attempted
to
trick
users
into
clicking
on
them
by
spoofing
genuine
user
accounts,
using
names
very
similar
to
the
original
projects
they
were
clones
of
and
using
legitimate-sounding
organization
names.
The
malicious
code
allowed
the
repositories
to
collect
information
on
the
environment
they
were
executed
in,
for
example
information
on
the
device
that
executed
it
and
its
user.
It
also
had
the
potential
to
collect
other
sensitive
data.
The
code
could
also
download
additional
malware
from
a
third-party
site
allowing
it
to
further
exploit
any
application
or
environment
that
was
using
the
malicious
cloned
code
originally
introduced
to
the
GitHub
repositories.
The
weaponized
code
could
lead
to
developers
accidentally
downloading
cloned
code
repositories
which
contain
the
malicious
code.
If
used
in
their
applications,
this
would
then
lead
them
to
exposing
their
users
to
code
which
includes
malware.
With
an
83-million-strong
developer
audience,
the
ramifications
could
prove
devastating.
The
attack
was
reported
to
GitHub
by
Lacy,
who
claimed
to
have
“cleaned
up”
the
attack
and
stopped
it
spreading
further
by
removing
the
affected
projects
and
organizations.
Join
the
global
cyber
security
online
community
With
more
than
140,000
members,
Cyber
Security
Hub
is
the
vibrant
community
connecting
cyber
security
professionals
around
the
world.
About Author
