Is GitHub Under Attack by Malicious Repositories?

  • Thread starter Thread starter jedishrfu
  • Start date Start date
Click For Summary

Discussion Overview

The discussion centers on the ongoing security issues related to GitHub, specifically the proliferation of malicious repositories that contain obfuscated malware. Participants explore the implications of these attacks on developers and the broader open-source community, touching on related platforms like Hugging Face.

Discussion Character

  • Debate/contested
  • Technical explanation
  • Exploratory

Main Points Raised

  • Some participants highlight that GitHub is facing an attack involving millions of malicious repositories that are difficult to distinguish from legitimate ones due to their obfuscated nature.
  • One participant notes their personal practice of forking repositories for coding ideas but expresses distrust in highly obfuscated code, citing past experiences with dependencies that complicate execution.
  • Another participant warns that developers might inadvertently install malware by choosing forked versions of repositories, which could also affect build systems like Maven and Docker.
  • A later post mentions similar issues occurring on Hugging Face, where malware has been found in code that could backdoor user devices.
  • Concerns are raised about the increasing frequency of these issues, potentially linked to the capabilities of large language models and the fear that GitHub may implement restrictions on repository creation for free users.

Areas of Agreement / Disagreement

Participants express a range of concerns regarding the security of repositories on GitHub and related platforms, with no clear consensus on the extent of the threat or the implications for the future of open-source development.

Contextual Notes

Participants mention various sources and examples of malware in repositories, indicating a broader trend without resolving the specifics of the claims or the effectiveness of current security measures.

jedishrfu
Mentor
Insights Author
Messages
15,642
Reaction score
10,439
TL;DR
GitHub has been inundated with a flood of forked repos with embedded malware. They have been able to stem the tide, but their tools are still missing thousands of manually uploaded repos with malware.
https://arstechnica.com/security/20...-of-malicious-repositories-in-ongoing-attack/

GitHub is struggling to contain an ongoing attack that’s flooding the site with millions of code repositories. These repositories contain obfuscated malware that steals passwords and cryptocurrency from developer devices, researchers said.

The malicious repositories are clones of legitimate ones, making them hard to distinguish to the casual eye. An unknown party has automated a process that forks legitimate repositories, meaning the source code is copied so developers can use it in an independent project that builds on the original one. The result is millions of forks with names identical to the original one that add a payload that’s wrapped under seven layers of obfuscation. To make matters worse, some people, unaware of the malice of these imitators, are forking the forks, which adds to the flood.

...
 
Reply
  • Informative
  • Like
Likes   Reactions: WWGD, jack action and Borg
Computer science news on Phys.org
Good to know.

In general, I usually just fork to maintain a copy that I can examine for coding ideas and I've rarely ever cloned any to my desktop. In the past, I've found that most of the ones that I did try running have just enough odd dependancies that they aren't worth trying to run.

I don't tend to trust what I can't decipher. I've had to deal with hyper-obfuscated code on work projects and really don't trust that when I see it. :oldwink:
 
Reply
  • Like
Likes   Reactions: nsaspook
The point is that folks are forking the repo and reposting it back to GitHub with embedded obfuscated malware. Developers might go for the forked version and so automatically install malware in their code.

This could apply to maven builds as well where libraries are corrupted with embedded malware. I know docker images have been built with embedded crypto mining capability.

https://blog.sonatype.com/malware-removed-from-maven-central

https://tuxcare.com/blog/unraveling-the-threat-of-new-docker-malware-campaign/

https://www.bleepingcomputer.com/ne...low-hackers-to-escape-docker-runc-containers/

I can see in the near future where AI models trained on this malware crap will be infected with malware and that may be the true purpose of this exercise in polluting the open source pool.
 
Reply
  • Sad
Likes   Reactions: Borg
Now it's Hugging Face's turn for the malware circus.
Hugging Face, the GitHub of AI, hosted code that backdoored user devices
Code uploaded to AI developer platform Hugging Face covertly installed backdoors and other types of malware on end-user machines, researchers from security firm JFrog said Thursday in a report that’s a likely harbinger of what’s to come.
 
I tend to believe these issues (while not that frequent in the past) are now being caused, with a faster frequency) by the amount of data generation we can perform nowadays with large language models.

Sadly, and I hope not, this will become a premium model for Github where free users won't be able to perform repository creation
 

Similar threads

In The United States Today Science, Is Under Attack As Never Before
  • · Replies 12 ·
Replies
12
Views
3K