There’s a terrible attack happening against Github right now where attackers are forking legitimate repositories and injecting malware – and then hoping unsuspecting users will download code from the attacker’s repo instead of the original. A researcher estimates this is happening to about 100,000 repos on Github.
As Dan Goodin writes at Ars Technica:
The malicious repositories are clones of legitimate ones, making them hard to distinguish to the casual eye. An unknown party has automated a process that forks legitimate repositories, meaning the source code is copied so developers can use it in an independent project that builds on the original one. The result is millions of forks with names identical to the original one that add a payload that’s wrapped under seven layers of obfuscation. To make matters worse, some people, unaware of the malice of these imitators, are forking the forks, which adds to the flood.
His article continues in great detail about how the attack works and the dangers involved. He also notes how Github is fighting back against this and removing malware repos … but the scale of the attack makes this hard.
A key point to me is that you should only download and execute code from repositories you trust.
This is kind of a 🤦♂️ statement, but it’s so easy to just search for code, find a repo, and use the code.
We all need to take the extra moment and figure out: is this repo a fork of another repo? And if so… why? There are perfectly legitimate reasons to fork a repo. Perhaps someone wants to improve the code or offer a new feature in a way the original developer didn’t want to.
But, as this attack shows, there are also malicious reasons for forking a repo.
We need to be sure we trust the source – which may mean doing the detective work to trace back and see if this is the original repo.
I wish the folks at Github all the best in combatting this attack. The ability to easily fork repos is such a key part of Github and the collaborative development of code. It’s unfortunate that it is being abused in this way. 🙁