Github Supply Chain Attack

A significant software supply chain attack has been discovered in Github, and while the attack was prevented from spreading further, the ramifications of “supply chain” attacks are clear and intimidating.

Github is the most popular code repository used by over 83 million developers across the globe. Their repository allows developers to track and control the source code that they store in the repository. Its users represent the largest coding community in the world. 

 

What Is Github?

Github allows developers to collaborate on code repositories, so that other developers can contribute to code which is not their own, while giving the owner of the original code full control to accept or reject changes made by another member of the community.

It is common for developers to download code repositories and use the code in their own applications.

In a situation where a developer wants to significantly change the code of another developer, they use Github’s Clone function. This allows a developer to create an exact copy of someone else’s code – where the original version remains untouched under the management of its original author. It retains its existing interaction stats like views, contributions and followers, while the new cloned version is under new ownership with no interaction stats associated with it because it is essentially new code (albeit copied from something existing).

What Happened?

According to research from Check Point, a malicious actor cloned upwards of 35,000 Github repositories and kept them identical to the original source code, with the addition of malicious code. This malicious code was able to build a fingerprint – to collect details of the environment in which it is executed. The code could collect device identity, the identity of the user and possibly additional sensitive data.

More significantly this code included the ability to download additional malware from a third party site. This additional malware could further exploit any application or environment which was using this code which originated in the weaponized cloned repositories in Github.

The developers’ community identified the malicious implant within code that was downloaded from Github and immediately the community feared that source code from the original repositories had been infected by this malware. However, upon further research it became clear that the infected code was in fact Cloned code which had been downloaded from Github under the assumption that the developer was downloading the original non-malicious repository.

This has potentially catastrophic implications for the software supply chain where an unassuming developer mistakenly downloads a cloned code repository which includes malicious code, uses it for their own purposes and then unknowingly provides their users with code that includes malware.

How To Prevent Supply Chain Attacks

The practice of shifting security “left” and providing security teams with automated tools for DevOps to embed  security into their pipelines is not new, but adoption is slow. This attempt to attack innumerable environments and applications is a clear example of why supply chain security is critical.

CheckPoint recommends software developers use automated security tools to scan source code to ensure that all code is security centric, eliminating threats at the earliest phase.

Check Point

You Might Also Read: 

Improving The Security Of Open Source Software:

 

« Perimeter 81 / Zero Trust Network Access Guide
Cybersecurity Essentials For Cloud Environments »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

WIRED

WIRED

WIRED is the magazine about what's next – the people, the trends and the big ideas that will change our lives. Topics covered include cyber security.

Cristie Data

Cristie Data

Cristie have been a trusted, innovative and leading edge data storage, backup and virtualisation solutions provider across all sectors of industry for over 40 years.

CloudSigma

CloudSigma

CloudSigma, a pure-cloud IaaS provider offers flexible and innovative cloud hosting solutions for companies of all sizes both in Europe and the US.

Backup Systems

Backup Systems

Backup Systems is a leading backup and disaster recovery systems provider across the UK.

Cisco Talos

Cisco Talos

Talos is an industry-leading threat intelligence solution that protects your organization’s people, data and infrastructure from active adversaries.

TrustArc

TrustArc

TrustArc provide privacy compliance and risk management with integrated technology, consulting and TRUSTe certification solutions – addressing all phases of privacy program management.

SecuDrive

SecuDrive

SecuDrive, provides hardware encrypted external storage devices to protect a company’s sensitive and important data.

itbox.online

itbox.online

Itbox.online offers IT solutions to ensure that your company's technologies are always available and secure as your business demands.

Cyber Security Jobs

Cyber Security Jobs

Cyber Security Jobs was formed to help job seekers find jobs and recruiters fill cyber security job vacancies.

CyberSecurityTrainingCourses.com

CyberSecurityTrainingCourses.com

Cyber Security Training Courses is a portal to help candidates find the best courses to progress their career within the IT security industry.

Nova Leah

Nova Leah

Nova Leah helps connected medical device manufacturers meet cybersecurity compliance requirements throughout the entire product lifecycle.

Allied Telesis

Allied Telesis

Allied Telesis delivers the secure, flexible, and agile solutions needed to meet the expectations of any industry’s critical mission.

FluidOne

FluidOne

FluidOne are an award-winning Connected Cloud Solutions provider. We design tailored solutions to help customers and partners digitally transform their IT and communications.

Barclay Simpson

Barclay Simpson

Barclay Simpson is proud to have a long history of delivering cyber security, technology and governance recruitment services.

Awareness Software Limited (ASL)

Awareness Software Limited (ASL)

As Hosting Specialists, Awareness Software offer practical and affordable hosting solutions including backup and disaster recovery and a range of cybersecurity services.

Foghorn Consulting

Foghorn Consulting

Foghorn can analyze your cloud to enhance performance and security, while reducing costs. Based on AWS’ 6 Pillars, our AWS WAFR Certified Engineers Will Identify Areas of Improvement.