HN
Today

I found 10k GitHub repositories distributing Trojan malware

A developer's curiosity led to the discovery of 10,000 GitHub repositories distributing Trojan malware, leveraging a sophisticated commit-deletion trick to evade detection. This large-scale campaign highlights significant security gaps on GitHub and its slow response mechanisms, sparking widespread concern among the developer community. The story also prompts a crucial discussion on trust in open-source platforms and the vigilance required from users.

244
Score
70
Comments
#1
Highest Rank
29h
on Front Page
First Seen
Jun 18, 1:00 PM
Last Seen
Jun 19, 5:00 PM
Rank Over Time
634322122323445666677886968714

The Lowdown

This article details the author's accidental discovery of a widespread malware distribution campaign on GitHub. It began when the author found cloned versions of their own repositories on Bing search results, featuring identical content but with a recent commit adding a link to a malicious zip archive in the README.

  • Initial Discovery: The author observed that these cloned repositories would repeatedly delete and re-push the same commit every few hours, solely to add a link to a zip archive containing a Trojan. While VirusTotal initially cleared the direct link, it flagged the zip file itself as malicious.
  • GitHub's Slow Response: The author reported the issue to GitHub support, but it took over a month for the initial repositories to be removed, with inconsistent response times for subsequent reports.
  • Automated Detection: Realizing the scale of the problem, the author developed a script to identify similar repositories. The key pattern involved: frequent commit updates (every few hours), only README changes with a zip archive link, copied content from other repos, not forks, and distinct contributors/names.
  • Scaling and Refinement: Utilizing gharchive, the author initially filtered for repositories with highly frequent updates. After finding only a few, they refined their filter to include less frequent updates, which dramatically increased the findings. This led to the discovery of 10,000 such repositories, all distributing Trojans.
  • Malware Characteristics: The zip archives typically contained cmd files, an exe loader, a cso/txt file, and lua51.dll. Later analysis by others confirmed these as parts of the 'SmartLoader and StealC' Trojan family.
  • Hypotheses: The author speculates the attackers aim to bypass GitHub's security, appear high in search results for new repositories, and build trust by maintaining full commit histories and contributor lists.

The article concludes by urging GitHub's security team to leverage their resources to detect and eliminate this extensive threat, noting that GitHub has started removing the identified malicious repositories.

The Gossip

GitHub's Glacial Governance

Many commenters express frustration with GitHub's perceived inaction and slow response to reported malicious content, ranging from malware to obvious piracy. There's a strong sentiment that GitHub lacks robust automated scanning for malware, especially in releases, and that manual reporting is often ineffective or inconsistent. The discussion questions why a platform of GitHub's scale doesn't proactively combat such widespread threats, particularly when basic patterns are identifiable.

Open Source's Security Scrutiny

A significant thread debates the 'many eyes' principle often associated with open-source software. While some challenge the idea that open source is inherently secure, others clarify that the principle refers to the auditability of code, not a guarantee against malware, especially when binaries are involved. Commenters highlight that GitHub hosts compiled binaries and that users often lack the time or expertise to audit code, leading to a false sense of security based on project popularity or platform trust.

Search & System Safeguards

The discussion extends to the broader topic of digital security, particularly regarding search engine reliability and personal protection measures. One commenter shares a harrowing experience with Bing returning phishing sites, prompting others to advocate for direct URL entry or robust password managers. The consensus is that users must be hyper-vigilant, utilizing tools like password managers, strong MFA (like passkeys/U2F), and ad blockers to defend against malicious links and typo-squatting domains.

Trojan Trace & Tech Tools

Commenters dive into the technical aspects of the malware, attempting to identify its family and modus operandi. One user provides a detailed analysis of a sample, linking it to the 'disco trojan family,' while another outlines the malware's network communication patterns (retrieving IP, Polygon RPC, and C2 server interaction). There's a clear call for more sophisticated, open-source tools that can automatically scan GitHub repositories and packages for malicious code and alert developers.