Despite the scare, initial reports of “35,000 projects infected” proved not to be true.
Thousands of GitHub repositories were copied with their clones altered to include malware, according to a report in BleepingComputer. The article says that the infections were discovered by a software engineer on Wednesday.
While cloning open source repositories is a common development practice and even encouraged among developers, this case involves threat actors creating copies of legitimate projects and tainting the copies with malicious code to target unsuspecting developers.
GitHub has purged most of the malicious repositories after receiving the engineer’s report, the article claims. “Software developer Stephen Lacy left everyone baffled when he claimed having discovered a ‘widespread malware attack’ on GitHub affecting some 35,000 software repositories”, BleepingComputer wrote.
Stephen Lacy reported his findings in a tweet. Contrary to what the original tweet seems to suggest, however, “35,000 GitHub projects” were not affected or compromised in any manner. Rather, the thousands of backdoored projects are copies (forks or clones) of legitimate projects purportedly made by threat actors to push malware. Official projects like crypto, golang, python, js, bash, docker and k8s remain unaffected.
A false alarm was corrected
While reviewing an open-source project Lacy had “found off a google search”, the engineer noticed a URL in the code that he shared on Twitter. BleepingComputer, like many, observed that when searching GitHub for this URL, there were 35,000+ search results showing files containing the malicious URL. Therefore, the figure represents the number of suspicious files rather than infected repositories.
BleepingComputer further discovered that out of the 35,788 code results, more than 13,000 search results were from a single repository called ‘redhat-operator-ecosystem’. This repository appears to have now been removed from GitHub and now shows a 404 (Not Found) error. The engineer has since issued the appropriate corrections and clarifications to his original tweet.