alt Hacker NewsI found 10k GitHub repositories distributing Trojan malware
Comments
I uploaded a sample found here (https://github.com/alexct142010-cell/McBackuper ) to Genus Codes (need an account): https://genuscodes.com/results/7ad4b911d05a12f91ab27ba3baa35... Seems to be related to the disco trojan family, by way of normalized function matching at 50% to malicious file https://genuscodes.com/results/eddbc29db4677e00c1a901aadbadb... and a normalized 50% match to https://genuscodes.com/results/fdb6cff68a2a8c08779d64a7cf61d...
Virustotal link: https://www.virustotal.com/gui/file/fdb6cff68a2a8c08779d64a7...
> I typed the project name into Google, and my repository appeared in the results. I entered the same query into Bing, and someone else’s repository appeared in the results
Side story, this kind of thing is what made me stop using Bing.
I had been using it as the default for searches (it sucks, but it's at least not Google), until I landed on a phishing page for my bank (I haven't committed it to memory yet). The page was a near perfect copy, and I would easily have gotten pwnd by it if they didn't have a modal asking me to run some code in my terminal for "security activation" that made me go "that's a little odd... Is this the right address OH SHIT that's a .ru domain"
I never see Google return phishing pages or typo squatters in the first page. Bing constantly returns that stuff in the first several results.
> Why do they delete a commit and push a new one every few hours?
May be to make it appear on the top of the "Last Updated" repositories in case someone searches for the repo or a keyword. So instead of the author's actual repo, the users endup cloning the trojan infected one.
A year ago a similar attack was reported and I think that there have been similar campaigns reported this year: https://github.com/evilsocket/opensnitch/discussions/1290#di...
- This is a new repository, not a fork
- All repositories have different contributors and different names
From the last two points, it becomes clear that even if we find one such repository, we won’t be able to find other similar repositories using it.
Also, github doesn't delete repositories and accounts, they mark them as deleted. If you use their api you can still list them.
It happened a few times to me that I'd find some very well constructed scam scheme (cryptocurrency washing systems, web platform/phishing scams), then I'd research deeper into it to see how it worked, just to ultimately feel powerless not knowing what to do with the information.
>The zip archive contains 4 files: Application.cmd or Launcher.cmd loader.exe or luajit.exe or another_name.exe random_name.cso or random_name.txt lua51.dll If you submit a link to the archive to VirusTotal, it will find 0 viruses. If you submit the zip file itself, it will detect a Trojan inside it.
MS Windows
Any open source tool to scan a github repo before download/install it locally? I'm thinking of semgrep or socket.dev but I wonder if there's a better option
People need to do their due diligence when including open-source software and packages not just when they first use them but anytime you have a need to upgrade them. I highly doubt I'm the first one to think of this, but there really aught to be tool or comprehensive set of tools that routinely scan open-source software and packages for potentially malicious code and alert users of the problem(s).
is it possible to ban them or report them ?
I uploaded several of these virus-infected archives to VirusTotal. In each archive, under the “Network Communication” section, the virus makes requests to three resources: a GET request to a website to retrieve IP information, a POST request to a Polygon RPC node (drpc), and a POST request to what appears to be the virus creator’s server. I can only assume that the scheme is designed to steal cryptocurrency.
> Another month later, GitHub support sent me an email saying that they had removed these repositories.
I recently discovered a campaign where somebody was forking very small but useful codebases, and replacing the distributable with some malware, and making the repository have better SEO with changes to the README. My case was a simple macOS application that could be used to control some Phillips LED light strip.
I reported it to GitHub and it was removed within 24 hours.
I discovered another repository like this, and they still haven't replied since (one month).
No clue how their malware reports work. I'm surprised they don't partner with some antivirus company to at least scan "releases" for malware (not repositories themselves)
It will feel very spooky when they stop updating because of this essay .
Microsoft: and the one thing we absolutely refuse to use AI for is to flag this kind of bullshit to protect users, because it would violate the rule of "don't do anything actually useful with it".
[dead]
Hi Claude fable, why u not protecting me from malware? Am i not american enough? Not rich enough? Yieks..
I have to say, the principle that open-source software can't do anything nefarious because the source is open just hasn't held up for a lot of reasons -- including that nobody has the time to inspect the code, let alone ensure that it matches the binaries; and also that GitHub has become a distribution hub for software used by lots of people with no ability or interest in auditing the software they use.