Is GitHub Under Attack by Malicious Repositories?

  • Thread starter Thread starter jedishrfu
  • Start date Start date
AI Thread Summary
GitHub is currently facing a significant security challenge as it deals with an influx of millions of malicious repositories. These repositories are designed to steal passwords and cryptocurrency from developers by embedding obfuscated malware within clones of legitimate projects. The attack involves automating the forking of genuine repositories, resulting in numerous deceptive copies that are difficult to identify. This obfuscation is layered, making it challenging for developers to recognize the threat. Additionally, some users are unknowingly forking these malicious versions, further propagating the issue.The implications extend beyond GitHub, as similar tactics could affect other platforms like Maven and Docker, where libraries and images may also be compromised with malware. Researchers have noted that the rise of AI and large language models could exacerbate these security risks, potentially leading to a future where AI models are trained on contaminated data. There are concerns that this trend may necessitate changes to GitHub's repository creation policies, possibly restricting free users in response to the ongoing threat.
jedishrfu
Mentor
Insights Author
Messages
15,468
Reaction score
10,177
TL;DR Summary
GitHub has been inundated with a flood of forked repos with embedded malware. They have been able to stem the tide, but their tools are still missing thousands of manually uploaded repos with malware.
https://arstechnica.com/security/20...-of-malicious-repositories-in-ongoing-attack/

GitHub is struggling to contain an ongoing attack that’s flooding the site with millions of code repositories. These repositories contain obfuscated malware that steals passwords and cryptocurrency from developer devices, researchers said.

The malicious repositories are clones of legitimate ones, making them hard to distinguish to the casual eye. An unknown party has automated a process that forks legitimate repositories, meaning the source code is copied so developers can use it in an independent project that builds on the original one. The result is millions of forks with names identical to the original one that add a payload that’s wrapped under seven layers of obfuscation. To make matters worse, some people, unaware of the malice of these imitators, are forking the forks, which adds to the flood.

...
 
Reply
  • Informative
  • Like
Likes WWGD, jack action and Borg
Computer science news on Phys.org
Good to know.

In general, I usually just fork to maintain a copy that I can examine for coding ideas and I've rarely ever cloned any to my desktop. In the past, I've found that most of the ones that I did try running have just enough odd dependancies that they aren't worth trying to run.

I don't tend to trust what I can't decipher. I've had to deal with hyper-obfuscated code on work projects and really don't trust that when I see it. :oldwink:
 
The point is that folks are forking the repo and reposting it back to GitHub with embedded obfuscated malware. Developers might go for the forked version and so automatically install malware in their code.

This could apply to maven builds as well where libraries are corrupted with embedded malware. I know docker images have been built with embedded crypto mining capability.

https://blog.sonatype.com/malware-removed-from-maven-central

https://tuxcare.com/blog/unraveling-the-threat-of-new-docker-malware-campaign/

https://www.bleepingcomputer.com/ne...low-hackers-to-escape-docker-runc-containers/

I can see in the near future where AI models trained on this malware crap will be infected with malware and that may be the true purpose of this exercise in polluting the open source pool.
 
Now it's Hugging Face's turn for the malware circus.
Hugging Face, the GitHub of AI, hosted code that backdoored user devices
Code uploaded to AI developer platform Hugging Face covertly installed backdoors and other types of malware on end-user machines, researchers from security firm JFrog said Thursday in a report that’s a likely harbinger of what’s to come.
 
I tend to believe these issues (while not that frequent in the past) are now being caused, with a faster frequency) by the amount of data generation we can perform nowadays with large language models.

Sadly, and I hope not, this will become a premium model for Github where free users won't be able to perform repository creation
 

Thread 'Google DeepMind, AI/ML and ALPHA-fold'

I came across a video regarding the use of AI/ML to work through complex datasets to determine complicated protein structures. It is a promising and beneficial use of AI/ML. AlphaFold - The Most Useful Thing AI Has Ever Done https://www.ebi.ac.uk/training/online/courses/alphafold/an-introductory-guide-to-its-strengths-and-limitations/what-is-alphafold/ https://en.wikipedia.org/wiki/AlphaFold https://deepmind.google/about/ Edit/update: The AlphaFold article in Nature John Jumper...
View full post »
Thread 'Urgent: Physically repair - or bypass - power button on Asus laptop'

Thread 'Urgent: Physically repair - or bypass - power button on Asus laptop'

Asus Vivobook S14 flip. The power button is wrecked. Unable to turn it on AT ALL. We can get into how and why it got wrecked later, but suffice to say a kitchen knife was involved: These buttons do want to NOT come off, not like other lappies, where they can snap in and out. And they sure don't go back on. So, in the absence of a longer-term solution that might involve a replacement, is there any way I can activate the power button, like with a paperclip or wire or something? It looks...
View full post »

Similar threads

In The United States Today Science, Is Under Attack As Never Before
Replies
12
Views
3K

Hot Threads

Recent Insights

Back
Top