In recent months, cyberattackers have been wreaking havoc on GitHub by registering more than 100,000 malicious copycat repositories, with some estimates suggesting the number could be even higher, exceeding a million. This surge in malicious activity has been attributed to the rise of a scheme known as “repo confusion,” which involves copying existing repositories, embedding malware, and reuploading them in the hopes of tricking unsuspecting developers.
Although GitHub’s automatic security systems have been successful in detecting and removing many of these fake repositories, a significant number continue to slip through the cracks, as highlighted in a recent study by Apiiro. The repo confusion attack works much like dependency confusion in package managers, where developers unknowingly download infected copies of the code they intended to use, putting their projects at risk of incorporating malware and introducing downstream supply chain vulnerabilities.
The success of this campaign lies in its automation, with attackers cloning, infecting, and reuploading repositories on a massive scale. Researchers estimate that millions of repositories have been affected, with the automated process creating thousands of forks for each project and promoting them across various online platforms. As a result, developers who accidentally download these malicious copies may unknowingly install the BlackCap Grabber malware, which can steal sensitive information such as credentials and browser data.
GitHub has been proactive in responding to these threats, taking down the majority of malicious repositories within hours of their posting. However, Apiiro noted that the automation behind the attack allows some repositories to evade detection, posing a persistent risk to users. A GitHub spokesperson emphasized the platform’s commitment to security and encouraged users to report any suspicious activity to maintain a safe environment for developers.
The choice of GitHub as a target for confusion attacks can be attributed to several factors. The platform’s ease of account and repository creation, combined with a large number of repositories, provides attackers with ample opportunities to conceal their malicious activities. Additionally, issues related to privacy and compromised accounts contribute to the vulnerability of GitHub as a tool for cybercriminals.
Shawn Loveland, COO of Resecurity, highlighted the challenges posed by compromised GitHub accounts and emphasized the need for companies to establish clear policies on using the platform. Even organizations that do not directly interact with GitHub may be at risk due to their reliance on developers who engage with third-party code. Loveland urged companies to communicate their GitHub policies with employees and vendors to mitigate the potential impact of malicious repositories on their operations.
As the threat of malicious GitHub repositories continues to grow, organizations must remain vigilant and implement robust security measures to protect their software supply chain. By staying informed about the risks associated with third-party code and maintaining clear communication about GitHub usage policies, companies can reduce their vulnerability to these damaging attacks.