A malware distribution campaign that began in May with a few malicious software packages published to the Python Package Index (PyPI) has migrated to GitHub, affecting at least 100,000 affected projects.
This form of attack can be associated with repo confusion attacks, which usually rely on human error, tricking users and developers into downloading fake and malicious versions instead of the original.
Malicious actors clone existing repositories, infect them with malware loaders, uploads them to GitHub under identical names and conventions, and then automatically fork them thousands of times, distributing them around the web via forums and other channels.
The virus is a modified version of BlackCap-Grabber which would then gather login credentials from other apps, browser passwords and cookies, and other private data. It then transmits it to the attacker’s command-and-control server.
The removal process, which targets fork bombs, takes place within hours after uploading, making it difficult to document the scope of the attack. The sheer number of repositories associated in this campaign, together with their automation, presents a considerable barrier to detection and prevention.
“Because the whole attack chain seems to be mostly automated on a large scale, the one percent that survive still amount to thousands of malicious repos,” said Matan Giladi, security researcher, and Gil David, head of AI.
Sources:
https://www.developer-tech.com/news/2024/feb/29/github-suffers-over-100k-infected-repos
https://www.theregister.com/2024/03/01/github_automated_fork_campaign
Know more about APC at https://apc.edu.ph