Threat actors are finding new ways to take advantage of GitHub in hopes of tricking developers into putting malicious code into their software and sending to users downstream, according to researchers with ReversingLabs.
Code repositories like GitHub and Python Package Index are popular targets for hackers who want to abuse the software supply chain to more easily and cheaply spread their malware while evading detection.
In a report this week, Karlo Zanki, a reverse engineer at ReversingLabs, wrote that bad actors have gotten adept at using public services as command-and-control infrastructure, with the cybersecurity vendor seeing such efforts in various malware campaigns in recent years.
Most recently, the researchers discovered two new methods being used to leverage GitHub for nefarious reason, with the same threat actor likely behind both.
The first involves abusing GitHub gists two host two-stage malicious payloads.
Gists are simples for developers to share snippets of code with one another and offer a number of features that make them attractive to cybercriminals.
They can be public or secret, and unlike public gists, secret gists don't appear in GitHub's Discover feed.
They're not searchable by anyone but the author of the secret gist, and then only when the author is logged on.
They aren't private, so if a developer sends the URL of a secret gist to someone else, that person will be able to see it.
ReveringLabs researchers found several PyPI packages - httprequesthub, pyhttpproxifier, libsock, libproxy, and libsocks5 - that appeared to be libraries for handling network proxying and contained a Base64 encoding string that seemed to have to do with telemetry data.
They actually held a URL that pointed to a secret gist.
The other malware type involved fetching commands from git commit messages.
The malware, found in the easyhttprequest PyPI package and - like the first example - hidden in the setup.
The malicious package uses a unique tactic for delivering commands.
Zanki said it's unclear whether this is a mistake or the malware's creator did it on purpose.
All of the malicious PyPI packages have been taken down, but Zanki wrote that he expects more hackers will find new ways to exploit GitHub for their nefarious purposes, adding that the author of the malware in these instances is still publishing new malware samples.
The discovery of these novel malware types aimed at GitHub also serve as a reminder that developers must be aware of the risks that come in open-source software development, particularly as attackers increasingly target the supply chain.
The software supply chain has become a soft target for cybercriminals.
The software being developed today includes large numbers of off-the-shelf and open-source components and organizations now are using such tools as software bills-of-materials to push back.
In his annual State of the Software Supply Chain report released in October, Sonatype found that there had been twice as many software supply chain attacks - 245,032 malicious packages were discovered - in 2023 that 2019 to 2022 combined and one in eight open-source downloads pose known and avoidable risks - 96% of vulnerable download releases had a fixed version available.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 20 Dec 2023 22:13:06 +0000