Monday 15 August 2022
Home / none / GitHub faces widespread malware attacks affecting projects, including crypto

GitHub faces widespread malware attacks affecting projects, including crypto

Major developer platform GitHub faced a widespread malware attack and reported 35,000 “code hits” on a day that saw thousands of Solana-based wallets drained for millions of dollars.

The widespread attack was highlighted by GitHub developer Stephen Lucy, who first reported the incident earlier on Wednesday. The developer came across the issue while reviewing a project he found on a Google search.

So far, various projects — from crypto, Golang, Python, JavaScript, Bash, Docker and Kubernetes — have been found to be affected by the attack. The malware attack is targeted at the docker images, install docs and NPM script, which is a convenient way to bundle common shell commands for a project.

To dupe developers and access critical data, the attacker first creates a fake repository (a repository contains all of the project’s files and each file’s revision history) and pushes clones of legit projects to GitHub. For example, the following two snapshots show this legit crypto miner project and its clone.

Original crypto mining project. Source: Github
Cloned crypto mining project. Source: Github

Many of these clone repositories were pushed as “pull requests,” which let developers tell others about changes they have pushed to a branch in a repository on GitHub.

Related: Nomad reportedly ignored security vulnerability that led to $190M exploit

Once the developer falls prey to the malware attack, the entire environment variable (ENV) of the script, application or laptop (Electron apps) is sent to the attacker’s server. The ENV includes security keys, Amazon Web Services access keys, crypto keys and much more.

The developer has reported the issue to GitHub and advised developers to GPG-sign their revisions made to the repository. GPG keys add an extra layer of security to GitHub accounts and software projects by providing a way of verifying all revisions come from a trusted source.

Original Article

About Jude Savage

Check Also

NFT games have edge over ‘money in, no money out’ games: Polygon’s Urvit Goel

Polygon’s vice president of global business development for gaming, Urvit Goel, believes games that integrate nonfungible tokens (NFTs) have a natural edge on traditional games that don’t allow users to sell their in-game items. Goel spoke candidly with Cointelegraph in Seoul last week about Polygon’s push toward helping NFT games proliferate and why game publishers in South Korea like Neowiz and Nexon are diving headfirst into the space. One of the main arguments Goel made is that the traditional business model that NFT games are competing against may be inherently weaker. In traditional gaming, users typically buy in-game items with real money, but they cannot sell those items to get back any United States dollar value. However, with most games in the gaming finance (GameFi) space, users can buy items as nonfungible tokens and sell them when they are done playing the game. Goel referred to the traditional model as “money in, no money out,” and emphasized that gamers should be able to..

Leave a Reply

Your email address will not be published. Required fields are marked *