🧵 Widespread malware attack on GitHubnitter.it/stephenlacy/status/1554697077430505473
314 sats \ 14 comments \ @cryptocoin 3 Aug 2022 bitcoin
write
preview
related posts
136 sats \ 1 reply \ @kilianbuhn 3 Aug 2022
Did you guys know that Git can be used without a central Github/Gitlab server?
Indeed it always could, it was one of the very early features to be used decentralized in p2p.
reply
130 sats \ 0 replies \ @Brunswick 3 Aug 2022
The whole point if git is decentralized, it's just not doing it in a BitTorrent style DHT internet protocol (yes there are ways of connecting git this way).
Git is a way to keep files organized and revisioned across many connected or disconnected computers. It literally was designed to allow software development between teams and individuals that have no centralized organization and via any file-copy medium available including thumb drives. It was essentially an upgrade to managing software codebases with zip and patch files, which worked adequately for many decades. After Linus had some experience with a centralized VCS, but was still distributing his software in zip (tar.gz) files, he decided to write his own VCS so the community wasn't dependent on the existence of one corporation. He sat down and outlined a basic set of requirements for a VCS software that would do what he needed. Interestingly bitcoin's first revision was stored in git, and git was used to coordinate and secure the codebase around the world. You can go back to this first commit in the bitcoin-core repository and see what the first alpha version looked like.
reply
125 sats \ 2 replies \ @sandbeach123old 3 Aug 2022
Another reason why I self host all my stuff. I use gitea on my umbrel node.
reply
29 sats \ 1 reply \ @EnormousPony 3 Aug 2022
Bullshit claim, you really fork and host every dependency you have? Have you read the thread?
reply
38 sats \ 0 replies \ @sandbeach123old 3 Aug 2022
I keep my stuff at a gitea instance. I do use dependencies but I do not host them. I use mainly Go. I guess with JS is more complicated. But that may not work for other people / businesses. I fail to see why my claim was bullshit.
reply
125 sats \ 1 reply \ @rolator 3 Aug 2022 freebie
Could this possibly be related to the Solana hack?
reply
105 sats \ 0 replies \ @cryptocoin OP 3 Aug 2022
There may have been individual cases where there was SOL stolen as a result of this github problem, but this person asserts that the hacks affecting Solana are unrelated to the github problem:
Lastly, the “malicious github” thread, the rust trojan horse, and the malicious pizza delivery guy theories are all false.
Going forward, plz do not jump to conclusions or believe everything you read. As we figure out what is happening, people like:
https://nitter.net/HelpedHope/status/1554812889168478208
reply
0 sats \ 4 replies \ @cryptocoin OP 3 Aug 2022
This attack will send the ENTIRE ENV of the script, application, laptop (electron apps), to the attacker's server!
ENVs include:
  • Security keys
  • AWS access keys
  • Crypto keys ... much mor
https://nitter.it/stephenlacy/status/1554697083331891201
reply
0 sats \ 3 replies \ @cryptocoin OP 3 Aug 2022
Hard to conclude that this is directly related to the solana private key leaks. Nevertheless, you should rotate your application secrets if you used any of the fake libraries on GitHub.
Always use rotating secrets if you can and vet the libraries you use.
https://nitter.it/lxjhk/status/1554727870244605952
reply
0 sats \ 2 replies \ @cryptocoin OP 3 Aug 2022
I have yet to find a single real GH org; it's all copies with 0 stars, created in the last 6-10 days.
Still something @github needs to cleanse, but far, far more limited than the quoted tweet makes it sound.
As this is making the rounds, some more context:
This appears to be an extremely broad, low value, low effort, and likely low impact attack.
Given two major *coin attacks in the last 24 hours or so, infosec news gets more attention than usual.
https://nitter.net/TwitchiH/status/1554725705438601216
reply
10 sats \ 1 reply \ @cryptocoin OP 3 Aug 2022
If you use npm, go get or other automatic dependency grabbing systems you better be pinning deps to particular hashes.
Do not blindly trust deps by name.
Do not allow deps to automatically upgrade to a newer version.
Hard part: Your deps might be blindly trusting their deps.
https://nitter.it/wtogami/status/1554716537323302912
reply
0 sats \ 0 replies \ @cryptocoin OP 4 Aug 2022
UPDATE
GitHub is investigating the Tweet published Wed, Aug. 3, 2022:
  • No repositories were compromised
  • Malicious code was posted to cloned repositories, not the repositories themselves
  • The clones were quarantined and there was no evident compromise of GitHub or maintainer accounts
https://nitter.it/GitHubSecurity/status/1554843443200806913
reply
0 sats \ 1 reply \ @cryptocoin OP 3 Aug 2022
The link for this post uses a read-only front-end for Twitter, which can be easier to read for viewing a full Twitter thread. The Tweet that kicked off the thread is:
I am uncovering what seems to be a massive widespread malware attack on @github.
  • Currently over 35k hits [Corrected later in the thread from repositories to hits].
  • So far found in projects including: crypto, golang, python, js, bash, docker, k8s
  • It is added to npm scripts, docker images and install docs
reply
5 sats \ 0 replies \ @DeezSats 3 Aug 2022
https://nitter.it/stephenlacy/status/1554697077430505473
reply