Thousands of GitHub projects duplicated and clones were modified to contain malware

Software engineers today found that thousands of GitHub projects had been duplicated and their clones had been modified to contain malware. Even though duplicating open source repositories is a common development practice and is even encouraged, threat actors, in this case, generate copies of reliable projects and contaminate them with malicious code in order to target naive developers with their malicious clones.

When software engineer Stephen Lacy claimed to have discovered a “widespread malware attack” on GitHub affecting roughly 35,000 software projects, everyone was confused. However, none of the “35,000 projects” on GitHub have been disrupted or compromised, unlike what the initial tweet seems to imply. The countless projects with backdoors are actually forks or clones of original projects that threat actors are said to have made to spread malware. Official projects like Crypto, Golang, Python, Java, Bash, Docker, and K8s are examples that are unaffected. That does not, however, imply that the discovery is not important, as will be demonstrated in the next sections.

In the source code of an open source project Lacy had “discovered off a google search,” the engineer noticed the following URL.

It was noticed that 35,000 or more GitHub search results for this URL revealed files that contained the malicious URL. As a result, the visual displays the number of suspect files rather than the number of compromised repositories. Further research found that out of the 35,788 code results, more than 13,000 originated from the “RedHat-operator-ecosystem” repository.