A sophisticated cyberattack campaign targeting developers on GitHub has been discovered, with over 100,000 malicious repositories identified between November and February 2024 [3].


This scheme, known as repo confusion attacks [2], involves cloning legitimate repositories [4], injecting harmful code [4], and re-uploading them with the same names to increase visibility. The malware deployed through these repositories utilizes seven layers of obfuscation and ultimately deploys a modified version of BlackCap-Grabber to steal sensitive information [5]. Millions of repositories have been infected [1] [2], posing supply chain risks and raising concerns about the security of the software supply chain. While GitHub’s security mechanisms are actively removing most of these fake repositories [1], some may still be overlooked, potentially leading to social engineering network effects [3]. Users are advised to check for and remove any suspicious repositories related to automation [4], gaming [4], and bots [4], and to change passwords for various services if they suspect they have downloaded a cloned repo [4]. Organizations are encouraged to implement policies regarding the use of GitHub to safeguard against these malicious attacks and to maintain constant vigilance and advanced security measures.


The discovery of this cyberattack campaign highlights the importance of maintaining strong security measures on platforms like GitHub. It also underscores the need for users and organizations to remain vigilant, implement policies to safeguard against such attacks, and be prepared for potential future threats in the software supply chain.


[1] https://www.darkreading.com/application-security/millions-of-malicious-repositories-flood-github
[2] https://www.cyberdaily.au/security/10265-potentially-millions-of-github-repos-infected-in-repo-confusion-campaign
[3] https://gigazine.net/gsc_news/en/20240301-github-repositories-malicious-code-campaign
[4] https://windowsreport.com/github-faces-large-scale-attack-posing-threats-to-millions-of-projects/
[5] https://linuxsecurity.com/news/hackscracks/millions-of-github-repositories-infected-with-malicious-code