Be careful with GitHub repositories!

The Israel and US-based security firm Apiiro has extensively reported on a malware distribution scheme observed over several months, involving compromised clone repositories on GitHub. At its peak, this scheme resulted in the creation of 100,000 infected repositories on the popular coding platform, growing so rapidly that GitHub struggled to remove them promptly.

The method used by the perpetrators is straightforward: they clone a repository of a popular project, inject it with malicious code, and then populate thousands of clone repositories with it. These are then sneaked into the Python Package Index (PyPI) and promoted across various forums and social media channels, where unsuspecting developers might find them and unwittingly incorporate them into their projects.

The malicious code, referred to by Apiiro as “BlackCap-Grabber,” is designed to collect login credentials, cookies, and other sensitive information, which is then sent to the attackers’ command-and-control servers. Although GitHub quickly removes most of these automatically generated fake repositories, some, especially those manually created, may be overlooked.

Apiiro first noticed packages listed in the Python Package Index (PyPI) in May 2023 that pointed to forks of GitHub repositories. Since then, attackers have been attempting to distribute manipulated software directly through GitHub, increasingly targeting niche projects and relying on developers’ trust to incorporate unknown code into their projects.

Apiiro’s focus on reporting these operations is not surprising, given the company specializes in software development security for cloud services, with a particular emphasis on monitoring supply chains and bill of materials. The security of package repositories has been a topic of concern for some time.