HN

Need help?
<- Back
I found 10k GitHub repositories distributing Trojan malware

I found 10k GitHub repositories distributing Trojan malware

theorchid

Comments (74)

  • danso
    Being reminded of this anecdote from NYMag's recent cover story (which had previously been reported in a WSJ story[0]) about a Disney engineer who downloaded an AI-gen tool from Github and "checked the code himself, it had looked legitimate":https://archive.is/yAUNy> He had no idea why the hackers had targeted him or what their plan was, whether they would drain his family’s finances or stalk his home. Eventually, after running another anti-virus program, he found a piece of malware hidden in a plug-in he had downloaded from GitHub, the open-source coding site, one day in February when he was messing around with an AI image generator. He had checked the code himself, it had looked legitimate, and others had reviewed it positively. But it seems it contained a Trojan-horse virus that gave the hackers free rein of his PC. Once inside, they just had to wait for Van Andel to log in to 1Password. From there, they were able to steal all his credentials, plus many of his multifactor-authentication codes, so every time Van Andel logged in to an app, a website, or an account, they could follow behind him. They’d had access for months.[0] https://www.wsj.com/tech/cybersecurity/disney-employee-ai-to...
  • bananamogul
    I reported a repo containing obvious nulled software to GitHub in February 2024.The title is "nulled WHMCS" and it's a full copy of that software with copy protection removed. It couldn't be more cut and dried.The repo is still there 2+ years later and GitHub has taken no action.If GitHub can't respond to tickets pointing out obvious pirated software, I don't think they care about anything anyone puts up.
  • emodendroket
    I have to say, the principle that open-source software can't do anything nefarious because the source is open just hasn't held up for a lot of reasons -- including that nobody has the time to inspect the code, let alone ensure that it matches the binaries; and also that GitHub has become a distribution hub for software used by lots of people with no ability or interest in auditing the software they use.
  • StableAlkyne
    > I typed the project name into Google, and my repository appeared in the results. I entered the same query into Bing, and someone else’s repository appeared in the resultsSide story, this kind of thing is what made me stop using Bing.I had been using it as the default for searches (it sucks, but it's at least not Google), until I landed on a phishing page for my bank (I haven't committed it to memory yet). The page was a near perfect copy, and I would easily have gotten pwnd by it if they didn't have a modal asking me to run some code in my terminal for "security activation" that made me go "that's a little odd... Is this the right address OH SHIT that's a .ru domain"I never see Google return phishing pages or typo squatters in the first page. Bing constantly returns that stuff in the first several results.
  • jp0001
    I uploaded a sample found here (https://github.com/alexct142010-cell/McBackuper ) to Genus Codes (need an account): https://genuscodes.com/results/7ad4b911d05a12f91ab27ba3baa35... Seems to be related to the disco trojan family, by way of normalized function matching at 50% to malicious file https://genuscodes.com/results/eddbc29db4677e00c1a901aadbadb... and a normalized 50% match to https://genuscodes.com/results/fdb6cff68a2a8c08779d64a7cf61d...Virustotal link: https://www.virustotal.com/gui/file/fdb6cff68a2a8c08779d64a7...
  • guhcampos
    > Why do they only clone new repositories, rather than popular ones? > Why do they delete a commit and push a new one every few hours?Because this is not targetted to humans. It's targetted to agents. They just need to appear on a fraction of the searches agents do to add dependencies and get lucky a couple times to start a new infection cluster.Then to the more interesting question: why now?1. Agents, agents everywhere.2. MAJOR elections happening this year in the World, including US midterms and Brazilian mains. This appears to be an account-stealer worm - and my guess is it's looking to all those sweet sweet Facebook/Instagram/Tiktok/Whatsapp accounts ready to bot their way into oblivion.
  • RoadieRoller
    > Why do they delete a commit and push a new one every few hours?May be to make it appear on the top of the "Last Updated" repositories in case someone searches for the repo or a keyword. So instead of the author's actual repo, the users endup cloning the trojan infected one.
  • tgtweak
    This is a failure of malware flagging systems as well - VT should not return clean if there are any downstream files that are malicious - such as in this case.
  • lookeey
    It happened a few times to me that I'd find some very well constructed scam scheme (cryptocurrency washing systems, web platform/phishing scams), then I'd research deeper into it to see how it worked, just to ultimately feel powerless not knowing what to do with the information.
  • gus_
    A year ago a similar attack was reported and I think that there have been similar campaigns reported this year: https://github.com/evilsocket/opensnitch/discussions/1290#di... - This is a new repository, not a fork - All repositories have different contributors and different names From the last two points, it becomes clear that even if we find one such repository, we won’t be able to find other similar repositories using it. In previous campaigns the repositories were linked to a few users. But those users had starred other users, that at the same time had also cloned other repositories with the malware. Sometimes the malicious repository had been cloned from another malicious repo, and if you listed the repositories and "friends" of that user, all were part of the botnet.Also, github doesn't delete repositories and accounts, they mark them as deleted. If you use their api you can still list them.
  • beej71
    I added keyoxide proofs everywhere. It's not really protection against victims using the wrong repo, but at least people who look can be certain that the person who controls my domain and website is the same person who controls that particular GitHub account.
  • rkozik1989
    People need to do their due diligence when including open-source software and packages not just when they first use them but anytime you have a need to upgrade them. I highly doubt I'm the first one to think of this, but there really aught to be tool or comprehensive set of tools that routinely scan open-source software and packages for potentially malicious code and alert users of the problem(s).
  • mmsc
    > Another month later, GitHub support sent me an email saying that they had removed these repositories.I recently discovered a campaign where somebody was forking very small but useful codebases, and replacing the distributable with some malware, and making the repository have better SEO with changes to the README. My case was a simple macOS application that could be used to control some Phillips LED light strip.I reported it to GitHub and it was removed within 24 hours.I discovered another repository like this, and they still haven't replied since (one month).No clue how their malware reports work. I'm surprised they don't partner with some antivirus company to at least scan "releases" for malware (not repositories themselves)
  • Teknomadix
    >The zip archive contains 4 files: Application.cmd or Launcher.cmd loader.exe or luajit.exe or another_name.exe random_name.cso or random_name.txt lua51.dll If you submit a link to the archive to VirusTotal, it will find 0 viruses. If you submit the zip file itself, it will detect a Trojan inside it.MS Windows
  • astronodev
    I uploaded several of these virus-infected archives to VirusTotal. In each archive, under the “Network Communication” section, the virus makes requests to three resources: a GET request to a website to retrieve IP information, a POST request to a Polygon RPC node (drpc), and a POST request to what appears to be the virus creator’s server. I can only assume that the scheme is designed to steal cryptocurrency.
  • jslakro
    Any open source tool to scan a github repo before download/install it locally? I'm thinking of semgrep or socket.dev but I wonder if there's a better option
  • axus
    It will feel very spooky when they stop updating because of this essay .
  • rambojohnson
    the en-ghettofication of american tech, down to its very open source control projects. a digital ghetto ill maintained if at all.
  • GL26
    is it possible to ban them or report them ?
  • fastcrw
    are there any ci/cd that controls them?
  • schedpilot
    damn 10k ? thats a lot, how did you get them ?
  • pydry
    Microsoft: and the one thing we absolutely refuse to use AI for is to flag this kind of bullshit to protect users, because it would violate the rule of "don't do anything actually useful with it".
  • cyber-anderson
    [dead]
  • anon
    undefined
  • siva7
    Hi Claude fable, why u not protecting me from malware? Am i not american enough? Not rich enough? Yieks..