Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Powered by MOMENTUM MEDIA
Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Explore

SECTIONS

MORE

search button

Potentially millions of GitHub repositories infected in ‘repo confusion’ campaign

Potentially millions of GitHub repositories have been infected with malware in a unique “repo confusion” attack, according to new reports.

user icon Daniel Croft
Mon, 04 Mar 2024 Security
Potentially millions of GitHub repos infected in
expand image

According to cloud security firm Apiiro, over 100,000 repositories have been compromised on GitHub, but the real number may be in the millions.

Threat actors are utilising what is being referred to as a “repo confusion” attack, which takes advantage of how the GitHub system manages repository names.

First, attackers clone copies of popular GitHub repositories like TwitterFollowBot, WhatsappBOT, discord-boost-tool, Twitch-Follow-Bot, and more.

============
============

Once downloaded, the attackers infect them with malware loaders, such as those designed to steal credentials, browser data and other sensitive information.

The repositories are then reuploaded to GitHub with the exact same names in the hope that developers looking to use the repositories download the infected ones unknowingly.

To maximise success, the hackers automatically fork the infected repositories thousands of times and promote them in forums, over Discord and other places online.

While GitHub quickly removes many of the forked repositories, its automated security seems to miss many, particularly those that have been uploaded manually.

When an unsuspecting developer utilises an infected repository, the malware begins unpacking a payload that has been hidden under seven layers of obfuscation.

Cyber Daily logo
VIEW ALL

In this process, malicious Python code and a specifically modified version of the BlackCap-Grabber malware are extracted and begin collecting sensitive information such as login details, passwords, personal data and more.

This data is then transmitted to a command-and-control server run by the threat actors.

The repo confusion campaign was first observed in May last year, according to Apiiro, and has begun picking up steam in recent months, with the number of infected repositories exceeding 100,000 as of November 2023. While unconfirmed, the real number could be in the millions.

Apiiro observed malicious packages containing the payload in question first appearing on Python Package Index (PyPi) in May 2023.

Only two months later, as PyPi began removing the malicious payloads, threat actors began uploading infected repositories manually.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.
CD Logo

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED

Be the first to hear the latest developments in the cyber industry.

Copyright © 2007-2024 MOMENTUMMEDIA
Copyright & DisclaimersPrivacy PolicyTerms & Conditions
momentummedia media
most innovative companies awards

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

CATEGORIES

STAY CONNECTED

Copyright © 2024 MOMENTUMMEDIA