GitHub is an important resource for programmers worldwide, serving as an extensive knowledge base and repository for open source coding projects, data storage, and code management. However, the site is currently undergoing an automated attack involving the cloning and creation of a vast number of malicious code repositories, and although developers are working to remove affected repositories, a significant amount persists and more are reportedly being uploaded on a regular basis

Unknown.

Unknown attackers have successfully created and deployed automated processes that fork and clone existing repositories and add their own malicious code hidden under seven layers of obfuscation (via Ars Technica). These rogue repositories are difficult to distinguish from legitimate repositories, and users unaware of the malicious nature of the code are also forking the affected repositories themselves, unintentionally increasing the scale of the attack.

Once a developer uses an affected repository, a hidden payload begins to unravel seven layers of obfuscation, including malicious Python code and binary executables. The code then collects sensitive data and login information and uploads it to the control server.

The research and data team at security provider Apilo is monitoring the resurgence of this attack, which began last May on a relatively small scale. According to the company, GitHub is quickly removing affected repositories, but its automated detection system still misses many of them, and manually uploaded versions are still slipping through the net.

Given the scale of the current attack, which researchers say amounts to millions of uploaded or forked repositories, even a 1% miss rate means there are still potentially thousands of compromised repositories on the site.

While the attacks were somewhat small-scale when they were first documented, with a few packages containing early versions of malicious code being detected on the site, they have gradually grown in size and sophistication. Researchers have identified several potential reasons for the success of previous operations, including the overall size of GitHub's user base and the increasing complexity of the modus operandi.

What is really intriguing here is the combination of sophisticated automated attack methods and simple human nature. While obfuscation methods are becoming increasingly complex, attackers rely heavily on social engineering to confuse developers and make them choose malicious code over real code, unwittingly spreading malicious code, thereby complicating attacks and making detection more difficult.

Currently, the method seems to be working surprisingly well, and while GitHub has not yet commented directly on the attack, they have issued a general statement reassuring users We employ manual review and at-scale detection that uses machine learning, constantly evolving and adapting to hostile attacks," said a general statement reassuring users.

The dangers of becoming popular seem to be evident here: while GitHub remains an important resource for developers worldwide, its open source nature and huge user base seem to leave it somewhat vulnerable. However, given the effectiveness of this approach, it should come as no surprise that solving this problem entirely seems like an uphill battle that GitHub has yet to overcome.