Threat actors are now exploiting GitHub’s search functionality to trick unsuspecting users searching for popular repositories into downloading spurious counterparts that serve malware.
The latest assault on the open source software supply chain involves hiding malicious code within Microsoft Visual Code project files designed to download next-stage payloads from a remote URL, Checkmarx said in a report shared with The Hacker News.
“Attackers create malicious repositories with popular names and topics, using techniques such as automatic updates and fake stars to boost search rankings and deceive users,” said security researcher Yehuda Gelb.
The idea is to manipulate search rankings in GitHub to push repositories controlled by threat actors to the top when users filter and sort results by the most recent updates, and boost popularity via fake stars added via fake accounts.
In doing so, the attack lends a veneer of legitimacy and trust to fraudulent repositories, effectively tricking developers into downloading them.
“Unlike past incidents where attackers were found to add hundreds or thousands of stars to their repositories, it appears that in these cases the attackers opted for a more modest number of stars, likely to avoid raising suspicion with a exaggerated,” Gelb said.
It’s worth pointing out that previous research by Checkmarx uncovered a black market made up of online shops and chat groups that sell GitHub stars to artificially boost a repository’s popularity, a technique known as star inflation.
Furthermore, most of these repositories are disguised as legitimate projects related to popular games, cheats, and tools, adding an extra layer of sophistication to make it harder to distinguish them from benign code.
Some repositories have been observed to download an encrypted .7z file containing an executable named “feedbackAPI.exe” that has been inflated to 750 MB in a likely attempt to evade virus scanning and ultimately launch malware that shares similarities with Keyzetsu clipper.
Windows malware, which came to light early last year, is often distributed via pirated software such as Evernote. It is capable of diverting cryptocurrency transactions to wallets owned by attackers by replacing the wallet address copied to the clipboard.
The findings highlight the due diligence that developers must follow when downloading source code from open source repositories, not to mention the dangers of relying solely on reputation as a metric for assessing trustworthiness.
“The use of malicious GitHub repositories to distribute malware is an ongoing trend that poses a significant threat to the open source ecosystem,” Gelb said.
“By exploiting GitHub’s search functionality and manipulating repository properties, attackers can trick unsuspecting users into downloading and executing malicious code.”
The development comes as Phylum said it discovered an increase in the number of spam (i.e. non-malicious) packets posted to the npm registry by a user called ylmin to orchestrate a “massive automated crypto farming campaign” abusing the Tea protocol.
“Tea Protocol is a web3 platform whose stated goal is to compensate maintainers of open source packages, but instead of cash rewards, they are rewarded with TEA tokens, a cryptocurrency,” the company’s research team said.
“The Tea protocol is not yet live. These users are collecting points from the ‘incentivized Testnet,’ apparently with the expectation that having more points in the Testnet will increase their chances of receiving a subsequent airdrop.”