![\"GitHub](\"https:\/\/gitprotect.io\/blog\/wp-content\/uploads\/2024\/01\/GitHub-infamous-1024x679.jpg\")
<\/figure><\/div>\n\n\nDECEMBER 2023 Researchers from ReversingLabs noticed<\/a> that threat actors started using GitHub for their malicious purposes and reported that \u201clately, we have observed the increasing use of the GitHub open-source development platform for hosting malware<\/em>.\u201d The novel methods that the malicious actors use include leveraging secret Gists and issuing malicious commands via git commit messages. So, the trick is that they can host their malware on a legitimate public service and use it as a dead-drop resolver to retrieve the real command-and-control (C2) address. <\/p>\n\n\n\n These sneaky techniques permit hostile actors to conceal their malicious network traffic inside of legitimate communications on a compromised network. In this case, it\u2019s difficult to identify and address the threats quickly and effectively. Consequently, the infected endpoint corresponding with a GitHub repository may not be reported as a suspicious one, giving a threat actor the green light to create an attack infrastructure that\u2019s reliable and inexpensive, and threaten other users and their data. <\/p>\n\n\n\n The Hacker News<\/a><\/p>\n\n\n\n GitHub RepoJacking<\/a> has been threatening GitHub users for a while, however, in 2023 it has always been on the tip of the tongue. Researchers from AquaSec concluded that 9 million repos can be vulnerable to RepoJacking (we will look at this case further), the Checkmarx team discovered<\/a> that GitHub\u2019s vuln could have exposed over 4K packages to RepoJacking attacks, and recently VulnCheck had been investigating this issue and found out that over 15K Go module repos are vulnerable to this kind of an attack. <\/p>\n\n\n It\u2019s worth mentioning that Go programming language modules are particularly vulnerable to RepoJacking as, in contrast to other package manager solutions, including npm packages<\/a> or PyPI, they are uploaded to version control systems, like GitHub or Bitbucket. <\/p>\n\n\n\n In its research, VulnCheck stated<\/a> that: <\/p>\n\n\n\n To address the issue, GitHub implemented a countermeasure known as popular repository namespace retirement. This countermeasure is aimed at blocking the attempts to create repos with the names of retired namespaces that have already been cloned more than 100 times before the owner\u2019s account name has been changed or removed. <\/p>\n\n\n Source: <\/em>VulnCheck<\/em><\/a><\/p>\n\n\n\n The Hacker News<\/a><\/p>\n\n\n\n NOVEMBER 2023 OCTOBER 2023 SEPTEMBER 2023 AUGUST 2023: JULY 2023: On July 18, GitHub published an alert<\/a> that it tracked and identified a low-volume social engineering campaign that was targeting the personal accounts of technology companies\u2019 employees. Though, the majority of the targeted accounts were related to the blockchain, cryptocurrency, or online gambling sectors, a few accounts associated with the cybersecurity sector fall victim as well. <\/p>\n\n\n\n The hacking group from North Korea, determined by Microsoft as Jade Sleet, impersonated a developer and created a GitHub account and other fake accounts on social media, including LinkedIn, Slack, and Telegram, and after initiating a contact persuaded the victim to collaborate on a GitHub repository. Thus, by cloning and executing the content of the repo (which contained the malicious npm packages!), the threat actors managed to infect the victim\u2019s data with malware.<\/p>\n\n\n\n The Record. Recorded Future News<\/a><\/p>\n\n\n\n JUNE 2023 According to AquaSec\u2019s security team<\/a>, \u201cNautilus\u201d, millions of GitHub repos can be potentially vulnerable to RepoJacking, which could enable malicious actors to launch supply chain attacks affecting lots of users. In this case, an attacker takes over a retired organization\u2019s or user\u2019s name and publishes trojanized versions of repos to run the malicious code in it.<\/p>\n\n\n\n After analyzing a sample of more than a million GitHub repositories, the group of researchers found out that about 2.95% of them might be vulnerable to this kind of vulnerability. <\/p>\n\n\n Source: <\/em>Bleeping Computer<\/em><\/a><\/p>\n\n\n\n As a result, the researchers estimated that RepoJacking can affect appx. 9M projects, which is a lot. To minimize the risks of the repository being exposed to this vulnerability, developers should:<\/p>\n\n\n\n Bleeping Computer<\/a><\/p>\n\n\n\n MAY 2023 According to GitHub\u2019s report, the service provider experienced some availability issues, both long-running and of shorter duration. For sure, the second week of May was a hard one for GitHub DevOps\u2026 They had to handle 3 incidents during 3 days in a row. So, let\u2019s look at the retrospective of the events:<\/p>\n\n\n\n Triggered by the alteration in the setup of the internal server that serves Git data, GitHub experienced a major outage when 8 of 10 services were degraded. For an hour many services experienced widespread failures as they were unable to read newly-written Git data. \u201cFollowing this outage, there was an extended timeline for post-incident recovery of some pull request and push dat<\/em>a,\u201d writes Mike Hanley, the Chief Security Officer and SVP of Engineering at GitHub. <\/p>\n\n\n\n To remediate the issue the GitHub team decided to revert the config change and tried to revert a rollback yet failed due to an internal infrastructure error. So, they decided to complete a gradual failover, after which they managed to restore write operations. However, \u201cadditional time was needed to get Git data, website-visible contents, and pull requests consistent for pushes received during the outage to achieve a full resolution<\/em>,\u201d states the GitHub report. <\/p>\n\n\n Source: <\/em>GitHub<\/em><\/a><\/p>\n\n\n\n The next day after the outage, GitHub faced another incident that led to 6 of 10 main services being degraded. As it turned out, \u201cthe database cluster serving GitHub App auth tokens saw a 7x increase in write latency for GitHub App permissions<\/em>\u201d. <\/p>\n\n\n\n The incident also affected GitHub functionalities that depend on tokens for operation. It included the source of each GITHUB_TOKEN in GitHub Actions and the tokens used for giving GitHub Codespaces access to the users\u2019 repos, which serve as a security mechanism for private GitHub Pages. In this case, due to token issuance failure, GitHub Actions and GitHub Codespaces can\u2019t access the data they require to run, failing to launch. <\/p>\n\n\n\n Yet the troubles weren\u2019t over\u2026 On May 11, GitHub experienced a crash in a database cluster serving Git data during which 8 of 10 main services were degraded for a short period. That, in turn, triggered an automated failover during which from 15% to 26% of requests for Git data were failed or slow\u2026 let\u2019s not forget that around 100M developers across the globe use GitHub for coding. <\/p>\n\n\n\n GitHub blog<\/a><\/p>\n\n\n\n APRIL 2023 MARCH 2023 After discovering its RSA SSH private key for GitHub.com being briefly exposed in a public GitHub repository, the version control service provider urgently rotated its secret for GitHub.com. This measure was taken as a proactive one to protect GitHub users \u201cfrom any chance of an adversary impersonating GitHub or eavesdropping on their Git operations over SSH<\/em>,\u201d states Mike Hanley in GitHub\u2019s report<\/a>.<\/p>\n\n\n\n Customers using GitHub\u2019s ECDSA or Ed25519 keys didn\u2019t notice any changes, though those who saw the warning message while connecting to GitHub.com via SSH had to manually renew the RSA SSH public key entry to their files. GitHub has provided detailed instructions on how to do that in its report.<\/p>\n\n\n Source: <\/em>GitHub<\/em><\/a><\/p>\n\n\n\n After a nasty incident, GitHub explained that \u201cthis issue was not the result of compromise of any GitHub systems or customer information. Instead, the exposure was the result of what we believe to be an inadvertent publishing of private information<\/em>.\u201d <\/p>\n\n\n\n The only question that stays open is how long the exposed key was available to the public eye.<\/p>\n\n\n\n Bleeping Computer<\/a><\/p>\n\n\n\n FEBRUARY 2023 JANUARY 2023 This incident tracks its roots in December 2022, when GiHub reported that a hostile actor gained access to a set of repos that the service provider used in the planning and development of the text and source code editor Atom, and GitHub Desktop. Before you think about how that is related to 2023, here is the answer: all the updates that GitHub users needed to perform were during January. <\/p>\n\n\n\n So, let\u2019s look at the summary of the incident. On December 6, 2022, using a compromised PAT (Personal Access Token) linked to a machine account to clone repos from its Atom, desktop, and \u201cother deprecated GitHub-owned organizations\u201d, a malicious actor gained access to the source code repositories and stole a set of encrypted code-signing certificates.<\/p>\n\n\n\n Though GitHub reported that all the certificates were password-protected and no sign of<\/p>\n\n\n\n malicious use was detached, the service provider decided to take preventive measures. It<\/p>\n\n\n\n revoked the exposed certificates that it used for the GitHub Desktop and Atom applications.<\/p>\n\n\n\n Thus, in order to continue using their applications securely, the GitHub users needed to update them by February 2, 2023\u2026 as it has already been mentioned during January.<\/p>\n\n\n\n Cyber Security Hub<\/a><\/p>\n\n\n\n As you see it\u2019s important to keep the hygiene of your GitHub data. If you use open-source, always double-check the libraries that you utilize to not fall victim to RepoJacking or other malicious actors\u2019 traps. <\/p>\n\n\n\n Also, no matter what repos you use public or private ones, you should keep up with GitHub security best practices<\/a>, including restricting and controlling access, rotating personal access tokens and SSH keys, including defense-in-depth principles, zero-trust approach while building your CI\/CD. <\/p>\n\n\n\n And, don\u2019t forget about GitHub backup<\/a>, as the final line of your source code and metadata security. Whether it\u2019s an outage or a ransomware attack, you can simply use Disaster recovery<\/a> technologies to instantly restore all your GitHub repos and metadata to any location of your choice – the same GitHub account, a new GitHub account, cross-overly to GitLab or Bitbucket, or your local device, guaranteeing uninterrupted workflow. Moreover, you shouldn\u2019t forget that DevOps backup<\/a> is one of the requirements to meet security certifications, including ISO 27001 and SOC 2. <\/p>\n\n\n\n So, keep your source code secure. Who knows what ingenious malicious ideas and schemes threat actors can imagine this year?<\/p>\n\n\n\n Useful resources:<\/strong>
GitHub Status info: 10 incidents <\/strong><\/p>\n\n\n\nHackers abuse GitHub to avoid detection & control compromised hosts<\/h2>\n\n\n\n
15K Go Module Repos on GitHub are vulnerable to RepoJacking attack<\/h2>\n\n\n\n
![\"\"](\"https:\/\/gitprotect.io\/blog\/wp-content\/uploads\/2024\/01\/blog-posts-ads-1024x512.png\")
<\/a><\/figure><\/div>\n\n\n\n
![\"Hijackable](\"https:\/\/gitprotect.io\/blog\/wp-content\/uploads\/2024\/01\/GitHub-related1.jpg\")
<\/figure><\/div>\n\n\n
GitHub Status info: 9 incidents<\/strong><\/p>\n\n\n\n
GitHub Status info: 7 incidents<\/strong><\/p>\n\n\n\n
GitHub Status info: 20 incidents<\/strong> <\/p>\n\n\n\n
GitHub Status info: 17 incidents<\/strong> <\/p>\n\n\n\n
GitHub Status info: 11 incidents<\/strong><\/p>\n\n\n\nCyberattack on GitHub customers<\/h2>\n\n\n\n
GitHub Status info: 13 incidents<\/strong><\/p>\n\n\n\nMillions of GitHub repos can be vulnerable to RepoJacking<\/h2>\n\n\n\n
![\"GitHub](\"https:\/\/gitprotect.io\/blog\/wp-content\/uploads\/2024\/01\/tested.webp\")
<\/figure><\/div>\n\n\n\n
GitHub Status info: 10 incidents<\/strong><\/p>\n\n\n\nGitHub addresses several availability incidents in a month<\/h2>\n\n\n\n
May 9th, 2023 – Git Databases degraded due to configuration change<\/h3>\n\n\n\n
![\"Git](\"https:\/\/gitprotect.io\/blog\/wp-content\/uploads\/2024\/01\/availability-1-1024x297.webp\")
<\/figure><\/div>\n\n\nMay 10th, 2023 – GitHub App authentication token issuance degradation<\/h3>\n\n\n\n
May 11th, 2023 – Git database degraded as a result of loss to read replicas<\/h3>\n\n\n\n
GitHub Status info: 12 incidents <\/strong><\/p>\n\n\n\n
GitHub Status info: 20 incidents<\/strong><\/p>\n\n\n\nGitHub\u2019s private SSH key exposed in a public GitHub repository<\/h2>\n\n\n\n
![\"notice](\"https:\/\/gitprotect.io\/blog\/wp-content\/uploads\/2024\/01\/GitHub-related-2.jpg\")
<\/figure><\/div>\n\n\n
GitHub Status info: 19 incidents<\/strong> <\/p>\n\n\n\n
GitHub Status info: 17 incidents <\/strong><\/p>\n\n\n\nA set of repos connected to GitHub Desktop and Atom accessed by a hacker<\/h2>\n\n\n\n
How to ensure the security of your GitHub data in 2024?<\/h2>\n\n\n\n
GitHub backup best practices<\/a>
GitHub Compliance – All you need to know<\/a>
Ultimate review of the most infamous GitHub-related security incidents in 2022<\/a>
GitProtect DevSecOps X-Ray Newsletter – your guide to the latest DevOps & security insights<\/a><\/p>\n\n\n\n