Github Supply Chain Attack

A significant software supply chain attack has been discovered in Github, and while the attack was prevented from spreading further, the ramifications of “supply chain” attacks are clear and intimidating.

Github is the most popular code repository used by over 83 million developers across the globe. Their repository allows developers to track and control the source code that they store in the repository. Its users represent the largest coding community in the world. 

 

What Is Github?

Github allows developers to collaborate on code repositories, so that other developers can contribute to code which is not their own, while giving the owner of the original code full control to accept or reject changes made by another member of the community.

It is common for developers to download code repositories and use the code in their own applications.

In a situation where a developer wants to significantly change the code of another developer, they use Github’s Clone function. This allows a developer to create an exact copy of someone else’s code – where the original version remains untouched under the management of its original author. It retains its existing interaction stats like views, contributions and followers, while the new cloned version is under new ownership with no interaction stats associated with it because it is essentially new code (albeit copied from something existing).

What Happened?

According to research from Check Point, a malicious actor cloned upwards of 35,000 Github repositories and kept them identical to the original source code, with the addition of malicious code. This malicious code was able to build a fingerprint – to collect details of the environment in which it is executed. The code could collect device identity, the identity of the user and possibly additional sensitive data.

More significantly this code included the ability to download additional malware from a third party site. This additional malware could further exploit any application or environment which was using this code which originated in the weaponized cloned repositories in Github.

The developers’ community identified the malicious implant within code that was downloaded from Github and immediately the community feared that source code from the original repositories had been infected by this malware. However, upon further research it became clear that the infected code was in fact Cloned code which had been downloaded from Github under the assumption that the developer was downloading the original non-malicious repository.

This has potentially catastrophic implications for the software supply chain where an unassuming developer mistakenly downloads a cloned code repository which includes malicious code, uses it for their own purposes and then unknowingly provides their users with code that includes malware.

How To Prevent Supply Chain Attacks

The practice of shifting security “left” and providing security teams with automated tools for DevOps to embed  security into their pipelines is not new, but adoption is slow. This attempt to attack innumerable environments and applications is a clear example of why supply chain security is critical.

CheckPoint recommends software developers use automated security tools to scan source code to ensure that all code is security centric, eliminating threats at the earliest phase.

Check Point

You Might Also Read: 

Improving The Security Of Open Source Software:

 

« Perimeter 81 / Zero Trust Network Access Guide
Cybersecurity Essentials For Cloud Environments »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Securosis

Securosis

Securosis is an information security research and advisory firm dedicated to improving the practice of information security.

Global Forum on Cyber Expertise (GFCE)

Global Forum on Cyber Expertise (GFCE)

GFCE is a global platform for countries, international organizations and private companies to exchange best practices and expertise on cyber capacity building.

InnoSec

InnoSec

InnoSec is a software manufacturer of cyber risk management technology.

Netresec

Netresec

Netresec is an independent software vendor with focus on the network security field. We specialize in software for network forensics and analysis of network traffic.

Thinkst Applied Research

Thinkst Applied Research

Thinkst is an Applied Research company with a deep focus on information security.

Segusoft

Segusoft

With its encryption platform SEGULINK, Segusoft provides standard software for companies to securely transfer files and messages.

AKS IT Services

AKS IT Services

AKS IT Services (an ISO 9001:2015 and ISO 27001:2013 certified company) is a leading IT Security Services and Solutions provider.

Surevine

Surevine

Surevine builds secure, scalable collaboration solutions for the most security conscious organisations, enabling collaboration on their most sensitive information.

BlueKrypt

BlueKrypt

BlueKrypt is a consulting firm for the security of IT systems and their management.

NJVC

NJVC

NJVC delivers IT automation, optimization and security to empower mission-enabling IT for customers with secure requirements.

Data Privacy Office (DPO)

Data Privacy Office (DPO)

Data Privacy Office is a company that specializes in privacy and personal data protection, following the highest standards in its sector.

Gigit

Gigit

Gigit’s Service portfolio focuses on your business’ needs and the integration of comprehensive cybersecurity policies, plans, procedures, and practices into your business culture and operations.

Onclave Networks

Onclave Networks

Onclave Networks is a global cybersecurity leader, transforming the future of securing all IT/OT devices and systems.

Intellias

Intellias

Intellias is a trusted technology partner to top-tier organizations and digital natives helping them accelerate their pace of sustainable digitalization.

Varen Technologies

Varen Technologies

Varen Technologies is an innovative consulting partner with highly respected cyber security, analytics, Agile Software Development and IT/maintenance expertise.

Softwerx

Softwerx

Softwerx is the UK’s leading Microsoft cloud security practice. We’ve been helping forward-thinking companies better secure their businesses for nearly twenty years.