alt Hacker NewsThe approach the attacker took makes little sense to me, perhaps someone else has an explanation for it? At first they monitored what's going on and then silently exfiltrated credentials and private repos. Makes sense so far. But then why make so much noise with trying to force push repositories? It's Git, surely there's a clone of nearly everything on most dev machines etc.
Replies
chuckadams • last Sunday at 2:49 PM
Malware sometimes suffers from feature creep too.
It's most likely two or more separate attackers operating. The first malware, Shai Hulud 2, exfiltrates credentials from the infected dev machine to new public GitHub repositories. As the repositories are public and searchable via GitHub's interfaces, any malicious attacker aware of the attack can easily grab the credentials and launch any attack, whether it's a noisy destructive script or some sophisticated ransomware.