A real “epidemic” of fake repositories recently broke out on GitHub. Cybersecurity experts have noticed a surge in the activity of attackers creating cloned versions of well-known projects, embedding malicious code in them. More than 100,000 such traps are already scattered across the GitHub digital space, masquerading as reliable and popular development tools.
These “ghost repositories” use subtle manipulation and social engineering to trick developers into downloading them instead of the original versions. Once activated, the hidden malware acts, scanning and sending personal data, including accounts and passwords, back to its creators. Interestingly, much of this campaign is automated, allowing attackers to scale their attacks with unprecedented efficiency.
Chronology of the Git Hub malware infection
Based on the results of the Apiiro research, we see an epidemic timeline like this:
- In May 2023, this malware appeared on a website, PyPI, but when it was removed, the attackers moved to GitHub.
- In August 2023, several malicious repositories were uploaded to GitHub, disguised as real software.
- Since November 2023, Apiiro’s security research has found over 100,000 of these fakes, which continues to grow. The problem is that GitHub is so large that tracking malicious projects is hard. In addition, scammers have become less reliant on conventional ways of spreading viruses, making them harder to detect. They also often choose lesser-known projects to spoof, so developers may accidentally download the wrong thing.
The GitHub team is taking steps to identify and remove these malicious copies, and they claim that most of the malicious repositories have been removed. Still, the number and complexity of the malicious repositories is such that the threat cannot be eliminated entirely.
