GitHub is currently working to contain an ongoing attack in which cryptocurrency-related criminal gangs use automated tools to create a large number of GitHub accounts, and then automatically fork well-known repositories and add backdoors to these repositories. These backdoors are mainly targeted at cryptocurrency investors, meaning that if users or developers accidentally use these projects with backdoors, their crypto wallet data may be stolen, resulting in the loss of funds.
It makes sense for criminal gangs to choose GitHub as their target. GitHub has a very high weight on Google searches and has a larger number of clicks. Many users cannot tell whether a project on GitHub is the original project or a version forked by someone else, so it is easier to be tricked.
However, such automated and large-scale attacks on GitHub are still rare. Criminal gangs naturally know that such a large-scale attack will inevitably attract GitHub’s attention and initiate technical confrontation. However, the criminal gangs still do it, which shows that they are also confident that their automated systems can continue to work despite GitHub’s pursuit and interception.
In fact, this is indeed the case. GitHub has currently deleted millions of problematic repositories. These repositories mainly fork some large and well-known repositories. There are approximately 100,000 repositories that have been forked.
This is also a supply chain attack, and there are countless supply chain attacks launched against GitHub, but it is extremely rare for millions of malicious repositories to appear. Currently, GitHub is using manual review + large-scale machine learning detection to delete these malicious repositories. However, there are still some repositories carrying backdoors that have slipped through the net, and these fish that have slipped through the net may be downloaded by users.
There is currently no evidence to show how long the life cycle of these fish that slipped through the net is, but even if GitHub is delayed by a day or two before detecting the fish that slipped through the net, some users may be affected within a day or two.
Therefore, next time you download content from GitHub, remember to look at the issues, submission history, and star number as a reference to avoid security risks caused by entering the fork's repository from a search engine.