Crypto Threat: Malware Infiltrates Github Cloning Thousands of Repos

The developer platform Github has been inundated with malware which has infiltrated tens of thousands of repositories.

As many as 35,000 Github repositories have been cloned with malware according to a security researcher.

The widespread malware attack did not target crypto repositories (repos) specifically, but they have been among those impacted.

Software engineer Stephen Lacy alerted the crypto community to the incursion on Aug. 3.

I am uncovering what seems to be a massive widespread malware attack on @github.

– Currently over 35k repositories are infected
– So far found in projects including: crypto, golang, python, js, bash, docker, k8s
– It is added to npm scripts, docker images and install docs pic.twitter.com/rq3CBDw3r9

— Stephen Lacy (@stephenlacy) August 3, 2022

Cloning Github repos

Tech portal Bleeping Computer reported that the repos were not hacked but had been copied with their clones altered to include the malware. Cloning open source code is a common practice among developers, however, the attackers have injected malicious code and links into legitimate projects to target unsuspecting developers.

Several projects from crypto, Golang, Python, JavaScript, Bash, Docker, and Kubernetes have been affected by the attack, the researcher noted.

While reviewing a project he had found from a Google search, the engineer noticed a malicious URL in the code. Scanning Github repos for this URL returned more than 35,000 results.

Bleeping Computer said that more than 13,000 search results were from a single repository called ‘redhat-operator-ecosystem.’ The malicious URL “exfiltrated a user’s environment variables but additionally contained a one-line backdoor,” the report added.

These environment variables can contain sensitive data such as API keys, tokens, Amazon AWS credentials, and crypto keys. The malware also allows remote attackers to execute arbitrary code on the systems of all those who install and run the clones.

The majority of the cloned repos had appeared within the past month, the report stated.

Github confirmed that the original repositories were not compromised and it had cleaned up or quarantined the clones.

GitHub is investigating the Tweet published Wed, Aug. 3, 2022:
* No repositories were compromised
* Malicious code was posted to cloned repositories, not the repositories themselves
* The clones were quarantined and there was no evident compromise of GitHub or maintainer accounts

— GitHub Security (@GitHubSecurity) August 3, 2022

Last month, BeInCrypto reported that a new strain of malware written in Rust was doing the rounds. Luca Stealer targets Windows operating systems and steals sensitive information such as crypto wallet information. The malware was also distributed on Github.

Miserable week in crypto

DeFi researcher Miles Deutscher pointed out that it has not been a great week in crypto. Earlier this week the Nomad bridge was exploited for $190 million and a few hours after, around 8,000 Solana wallets were hacked resulting in the theft of an estimated $8 million.

The last 5 days in crypto:

• $100m $ONE hack.

• $190m Nomad bridge hack (4th biggest DeFi exploit in history).

• $SOL private key hack (over 8,000 wallets affected).

• GitHub malware attack (35k repositories infected).

— Miles Deutscher (@milesdeutscher) August 3, 2022

Markets appear to be unaffected though as total capitalization has gained 1.7% on the day to reach $1.12 trillion at the time of writing.

The post Crypto Threat: Malware Infiltrates Github Cloning Thousands of Repos appeared first on BeInCrypto.

Source: Markets – BeInCrypto