Tech News
GitHub suffers from over 100K infected repos – Developer News
ARTICLE
LOG IN
Developers face a major security threat as over 100,000 repositories on GitHub are infected with malicious code.
This resurgence of a malicious repo confusion campaign – detected by Apiiro’s security researchers – has impacted countless developers who unwittingly use repositories they believe to be trusted but are, in fact, compromised.
Similar to dependency confusion attacks – which exploit package managers – repo confusion attacks rely on human error, tricking developers into downloading malicious versions instead of legitimate ones.
Malicious actors clone existing repositories, infect them with malware loaders, upload them with identical names to GitHub, and then automatically fork them thousands of times—spreading them across the web through forums and other channels.
Once developers use these infected repos, the hidden payload unpacks layers of obfuscation—executing malicious Python code and binary executables. This modified code – often a version of BlackCap-Grabber – collects sensitive data such as login credentials and browser information, sending it to the attackers’ command-and-control server.
While GitHub swiftly removes most of the forked repos, automated detection misses many, allowing thousands to persist.
The removal process – which targets fork bombs – occurs within hours of upload, making it challenging to document the extent of the attack. The sheer volume of repositories involved in this campaign, combined with their automation, poses a significant challenge to detection and mitigation efforts.
This malicious campaign began in May 2023 with the spread of malicious packages on PyPI and highlights a broader trend of malware targeting software supply chains. As attention on package managers increases, attackers are shifting their focus to source control managers like GitHub.
(Photo by Roman Synkevych on Unsplash)
See also: Python packages caught using DLL sideloading to bypass security
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.
Additionally, the upcoming Cloud Transformation Conference is a free virtual event for business and technology leaders to explore the evolving landscape of cloud transformation. Book your free virtual ticket to explore the practicalities and opportunities surrounding cloud adoption.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
apiiro, cyber security, cybersecurity, dependency confusion, github, hacking, infosec, malware, repo, repositories, security
Your email address will not be published.
Developer Tech offers the latest app developer news and strategy. We cover topics, including coding, monetisation, billing, marketing and design, within the app development industry. We aim to help developers by providing top-class practical content across many issues.
Founded in 2011, we provide a channel for expert, brands and thought leaders to share content and engage with other industry professionals around the world.
Please follow this link for our privacy policy.
Copyright © 2024 Developer Tech News. All Rights Reserved.
Not subscribed / a member yet?
"*" indicates required fields
Step 1 of 3
Already a member / subscriber?
Tech News
Mechanical Engineering Outstanding Senior 2024: Spencer Macturk – Virginia Tech
Alex Parrish
view all
view all
view all
view all
view all
Virginia Tech demonstrates impact as a global land grant – progressing sustainability in our community, through the Commonwealth of Virginia, and around the world.
Get Directions
See All Locations
Contact Virginia Tech
For the media
© 2024 Virginia Polytechnic Institute and State University. All rights reserved.
Tech News
Biden administration taps tech CEOs for AI safety, security board – NBC News
Profile
Sections
tv
Featured
More From NBC
Follow NBC News
There are no new alerts at this time
The Department of Homeland Security established an advisory panel Friday to study how to protect critical infrastructure including power grids and airports from threats related to artificial intelligence.
The Artificial Intelligence Safety and Security Board, which has 22 initial members, includes high-profile figures in tech like OpenAI CEO Sam Altman, Microsoft CEO and chairman Satya Nadella and Alphabet CEO Sundar Pichai, according to a statement from the DHS.
President Joe Biden ordered the creation of the board in October when he signed a wide-ranging executive order on AI, representing the federal government’s first foray into trying to regulate the technology since advanced AI apps including OpenAI’s ChatGPT went viral in popularity.
The board’s mission includes developing recommendations “to prevent and prepare for AI-related disruptions to critical services that impact national or economic security, public health, or safety.”
AI experts have identified a wide array of potential security threats that the new technology could make possible, from swarms of autonomous drones to cheap and lethal bioweapons to more effective hacking threats against critical computer systems.
The government’s defense may involve using AI to fight AI, the DHS said.
“The Board will develop recommendations to help critical infrastructure stakeholders, such as transportation service providers, pipeline and power grid operators, and internet service providers, more responsibly leverage AI technologies,” the department said.
Homeland Security Secretary Alejandro Mayorkas said in a statement that AI “can advance our national interests in unprecedented ways” but that it also “presents real risks — risks that we can mitigate by adopting best practices and taking other studied, concrete actions.”
In addition to tech CEOs, the board includes the CEOs of Delta Air Lines, defense contractor Northrop Grumman and oil producer Occidental Petroleum, as well as Maryland’s Democratic Gov. Wes Moore, Seattle Mayor Bruce Harrell and the leaders of two civil rights organizations.
David Ingram covers tech for NBC News.
© 2024 NBC UNIVERSAL
Tech News
What is AI, how does it work and what can it be used for? – BBC.com
-
General Knowledge2 years ago
List of Indian States and Capital
-
General Knowledge2 years ago
List Of 400 Famous Books and Authors
-
Important Days4 years ago
Important Days of Each Month
-
General Knowledge2 years ago
Countries and their National Sports
-
General Knowledge3 years ago
Country Capital and Currency
-
Important Days3 years ago
Holi
-
General Knowledge2 years ago
List of Indian President
-
General Knowledge2 years ago
List of Indian Vice President