Thousands of GitHub repositories have been copied, and the clones include malware, as a software engineer by the name of Stephen Lacy has been able to verify. He calculates that there are 35,000 cloned repositories.
While the cloning of open source repositories is a common development practice, in this case, it involves threat actors creating copies of legitimate projects but contaminating them with malcious code to target unsuspecting developers with these clones.
GitHub has said that it has already removed most of the malicious repositories after receiving the engineers’ report, although there is no concrete number.
This Was The Discovery
The thousands of affected projects are copies or clones of legitimate projects allegedly created by threat actors to introduce malware. This means that official projects such as crypto, golang, python, js, bash, docker, and k8s have not been affected, but a developer can come across a copy without knowing what it is.
The engineer who raised the alarm reviewed an open source project that Lacy had “found on a Google search” and saw the following URL in the code she shared on Twitter.
I am uncovering what seems to be a massive widespread malware attack on @github.
– Currently over 35k repositories are infected
– So far found in projects including: crypto, golang, python, js, bash, docker, k8s
– It is added to npm scripts, docker images and install docs pic.twitter.com/rq3CBDw3r9
— Stephen Lacy (@stephenlacy) August 3, 2022
Developer James Tucker pointed out that the cloned repositories containing the malicious URL contained a one-line backdoor. These threats can give threat actors vital secrets such as your API keys, tokens, Amazon AWS credentials, and cryptographic keys.