2 min

Tags in this article

, , , , ,

Hundreds of developers have fallen victim to a hacker who has cleared out the Git source repositories and replaced them with a ransom demand. The attacks seem to be coordinated across different hosting services, such as GitHub, Bitbucket and GitLab.

The attacks started on Friday, reports ZDNet. It is unclear exactly how the attacks are carried out. What is clear is that the hacker has removed all source code and recent commits from users’ Git repositories. Then a note is left asking for a payment of 0.1 bitcoin, which comes down to about 570 dollars.

The hacker claims that the source code has been downloaded to and stored on one of his servers and gives the victim ten days to pay the ransom. If the victim doesn’t, the hacker will make the source code public, so he threatens. According to a search on GitHub, at least 392 GitHub repositories were the victim of the attack.

Weak passwords

Kathy Wang, Director of Security at GitLab, states that the problem was caused by a compromised account that a user reported on StackExchange earlier on Friday. “We have identified affected user accounts and all those users have been notified. As a result of our research, we have strong evidence that the passwords of compromised accounts are stored as plaintext on a deployment of a related repository.”

GitLab therefore advises users to use a password manager and set up two-step authentication. “Both would have prevented this problem,” says Wang.

Atlassian, the company behind Bitbucket, has also started notifying customers whose accounts have been taken over by hackers. In addition, security alarms are sent to accounts where failed login attempts have taken place.

Retrieval of data

Members of the StackExchange Security Forum have since discovered that the hacker does not actually remove the commit headers, but only modifies them. This means that in some cases, code commits can be restored. Instructions for this are shared on the forum.

Private Git repositories may also have fallen victim to the attack. This will probably lead to long-term research into companies whose own code has ended up on a remote server.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.