Attackers have once again targeted software supply chains, this time by slipping in malicious code updates to hundreds of GitHub repositories. They accomplished this by using stolen passcodes to commit changes and then masquerading as Dependabot, a well-known tool, to trick developers into accepting those updates.
According to an advisory published by software security firm Checkmarx, the attackers abused stolen personal access tokens (PATs), which are security credentials used to verify the authenticity of a code update. By spoofing the name of the contributor, they were able to check code into the GitHub repositories and add malicious code to the end of Javascript files.
This campaign marks a new tactic, as the attackers labeled the code submissions as if they were made by Dependabot itself. This made it more difficult for developers to scrutinize the changes. Guy Nachshon, a security researcher at Checkmarx, describes this as a software supply chain attack and notes that it is the first time they have witnessed such impersonation of Dependabot.
The GitHub platform has been a frequent target for these types of attacks. In November, attackers stole code from Dropbox’s GitHub repositories by convincing a developer to enter their credentials and two-factor authentication code into a phishing site. In December, another attacker created a malicious Python package that impersonated a software development kit for a popular security client.
GitHub has clarified that its systems were not compromised in this specific attack and there is no evidence to suggest GitHub users are at risk. However, the company acknowledges that bad actors will continue to attempt to compromise personal data and private information wherever they can find it.
Dependabot, which was acquired by GitHub in 2019, is an automated tool used to perform regular software and security checks for projects hosted on the platform. The attackers chose to submit the code under the name Dependabot to take advantage of the trust associated with the tool. Nicolas Danjon, a security researcher at GitGuardian, explains that developers tend to accept requests from Dependabot without thoroughly reviewing the code because they trust the source.
While the impersonation of Dependabot may deceive developers, the actual submission of the code is made possible by the theft of PATs passcodes. Checkmarx emphasizes that without these credentials, the threat is significantly reduced. Developers are advised to secure their accounts and implement fine-grained tokens instead of classic tokens to follow the principle of least privilege.
To protect software development pipelines against attacks, developers should ensure that their credentials are secure. GitHub has already started scanning all public repositories for developer secrets and has mandated two-factor authentication for all developer accounts. Additionally, developers should not solely rely on project attributes to determine trustworthiness, as attackers can forge these signals and metadata.
Companies should safeguard their development secrets and consider using honey tokens, which are fake credentials sprinkled throughout developers’ environments. These tokens can help detect when attackers attempt to use invalid identities. Furthermore, developers should carefully analyze the code from the packages they are using to detect any malicious code that may have been inserted into the supply chain.
Checkmarx’s Nachshon also suggests that GitHub should allow every user to access their security access logs, a feature that is currently limited to enterprise users. By providing this transparency, GitHub users would have greater visibility into their accounts and be able to detect any suspicious activity.
As software supply chain attacks continue to pose a significant risk, developers and platform providers must remain vigilant and take proactive measures to protect against these threats.