FRESH

Hacker News

Home

I found 10k GitHub repositories distributing Trojan malware

372 points by theorchid

by danso

2 subcomments

Being reminded of this anecdote from NYMag's recent cover story (which had previously been reported in a WSJ story[0]) about a Disney engineer who downloaded an AI-gen tool from Github and "checked the code himself, it had looked legitimate":
https://archive.is/yAUNy
> He had no idea why the hackers had targeted him or what their plan was, whether they would drain his family’s finances or stalk his home. Eventually, after running another anti-virus program, he found a piece of malware hidden in a plug-in he had downloaded from GitHub, the open-source coding site, one day in February when he was messing around with an AI image generator. He had checked the code himself, it had looked legitimate, and others had reviewed it positively. But it seems it contained a Trojan-horse virus that gave the hackers free rein of his PC. Once inside, they just had to wait for Van Andel to log in to 1Password. From there, they were able to steal all his credentials, plus many of his multifactor-authentication codes, so every time Van Andel logged in to an app, a website, or an account, they could follow behind him. They’d had access for months.
[0] https://www.wsj.com/tech/cybersecurity/disney-employee-ai-to...

by guhcampos

0 subcomment

> Why do they only clone new repositories, rather than popular ones? > Why do they delete a commit and push a new one every few hours?
Because this is not targetted to humans. It's targetted to agents. They just need to appear on a fraction of the searches agents do to add dependencies and get lucky a couple times to start a new infection cluster.
Then to the more interesting question: why now?
1. Agents, agents everywhere.
2. MAJOR elections happening this year in the World, including US midterms and Brazilian mains. This appears to be an account-stealer worm - and my guess is it's looking to all those sweet sweet Facebook/Instagram/Tiktok/Whatsapp accounts ready to bot their way into oblivion.

by mustaphah

2 subcomments

This is just one flavour of abuse. GitHub does NOT give a shit about the scale of the malware problem.
I've seen so many forms of malware repos working on a GitHub trends newsletter [1], mostly about crypto, NFTs, KMS, and similar stuff.
In the first runs of the project, I was so surprised by tens of malware repos that looked like trending repos. A lot of them share some common traits that made filtering feasible:
- Made by a fresh GitHub user - many created in the past few days.
- The average creation date of Stargazers accounts is very close to the repo creation date. If you take the mean time diff, those bad repos get exposed.
I reported 10s of malware repos, but then I gave up as I felt GitHub was not really doing enough to fight back. I was like... these guys don't seem to care, why should I?
God knows how many people have been abused by these malware repos on GitHub.
---
[1] https://github.com/mhadidg/gh-trends

by StableAlkyne

7 subcomments

> I typed the project name into Google, and my repository appeared in the results. I entered the same query into Bing, and someone else’s repository appeared in the results
Side story, this kind of thing is what made me stop using Bing.
I had been using it as the default for searches (it sucks, but it's at least not Google), until I landed on a phishing page for my bank (I haven't committed it to memory yet). The page was a near perfect copy, and I would easily have gotten pwnd by it if they didn't have a modal asking me to run some code in my terminal for "security activation" that made me go "that's a little odd... Is this the right address OH SHIT that's a .ru domain"
I never see Google return phishing pages or typo squatters in the first page. Bing constantly returns that stuff in the first several results.

by emodendroket

15 subcomments

I have to say, the principle that open-source software can't do anything nefarious because the source is open just hasn't held up for a lot of reasons -- including that nobody has the time to inspect the code, let alone ensure that it matches the binaries; and also that GitHub has become a distribution hub for software used by lots of people with no ability or interest in auditing the software they use.

by Jimmc414

0 subcomment

This is happening to me as well. I have a few moderately popular open source projects and I have found my name attached to new projects that I have nothing to do with or they are derivatives of my projects with redirection to unknown sites.
Legitimate projects:
https://github.com/jimmc414/onefilellm
https://github.com/jimmc414/Kosmos
https://github.com/jimmc414/cctrace
Projects using my name which I have no affiliation with or they are projects I have written that they have injected new URLs into:
https://hub.decision.ai/skills/jimmc414/benchling-integratio...
https://lobehub.com/skills/jimmc414-claude-code-plugin-marke...
https://mcpmarket.com/tools/skills/geniml-genomic-machine-le...
https://mcpmarket.com/tools/skills/biopython-for-molecular-b...

by jp0001

0 subcomment

I uploaded a sample found here (https://github.com/alexct142010-cell/McBackuper ) to Genus Codes (need an account): https://genuscodes.com/results/7ad4b911d05a12f91ab27ba3baa35... Seems to be related to the disco trojan family, by way of normalized function matching at 50% to malicious file https://genuscodes.com/results/eddbc29db4677e00c1a901aadbadb... and a normalized 50% match to https://genuscodes.com/results/fdb6cff68a2a8c08779d64a7cf61d...
Virustotal link: https://www.virustotal.com/gui/file/fdb6cff68a2a8c08779d64a7...

by RoadieRoller

1 subcomments

> Why do they delete a commit and push a new one every few hours?
May be to make it appear on the top of the "Last Updated" repositories in case someone searches for the repo or a keyword. So instead of the author's actual repo, the users endup cloning the trojan infected one.

by bananamogul

1 subcomments

I reported a repo containing obvious nulled software to GitHub in February 2024.
The title is "nulled WHMCS" and it's a full copy of that software with copy protection removed. It couldn't be more cut and dried.
The repo is still there 2+ years later and GitHub has taken no action.
If GitHub can't respond to tickets pointing out obvious pirated software, I don't think they care about anything anyone puts up.

by lookeey

1 subcomments

It happened a few times to me that I'd find some very well constructed scam scheme (cryptocurrency washing systems, web platform/phishing scams), then I'd research deeper into it to see how it worked, just to ultimately feel powerless not knowing what to do with the information.

by rkozik1989

1 subcomments

People need to do their due diligence when including open-source software and packages not just when they first use them but anytime you have a need to upgrade them. I highly doubt I'm the first one to think of this, but there really aught to be tool or comprehensive set of tools that routinely scan open-source software and packages for potentially malicious code and alert users of the problem(s).

by gus_

0 subcomment

A year ago a similar attack was reported and I think that there have been similar campaigns reported this year: https://github.com/evilsocket/opensnitch/discussions/1290#di...
```
  - This is a new repository, not a fork
  - All repositories have different contributors and different names
  From the last two points, it becomes clear that even if we find one such repository, we won’t be able to find other similar repositories using it.
```
In previous campaigns the repositories were linked to a few users. But those users had starred other users, that at the same time had also cloned other repositories with the malware. Sometimes the malicious repository had been cloned from another malicious repo, and if you listed the repositories and "friends" of that user, all were part of the botnet.
Also, github doesn't delete repositories and accounts, they mark them as deleted. If you use their api you can still list them.

by mmsc

1 subcomments

> Another month later, GitHub support sent me an email saying that they had removed these repositories.
I recently discovered a campaign where somebody was forking very small but useful codebases, and replacing the distributable with some malware, and making the repository have better SEO with changes to the README. My case was a simple macOS application that could be used to control some Phillips LED light strip.
I reported it to GitHub and it was removed within 24 hours.
I discovered another repository like this, and they still haven't replied since (one month).
No clue how their malware reports work. I'm surprised they don't partner with some antivirus company to at least scan "releases" for malware (not repositories themselves)

by factorymoo

0 subcomment

Can anyone tell me if there are similar risks installing software using Brew on macos? I would imagine so.

by tgtweak

0 subcomment

This is a failure of malware flagging systems as well - VT should not return clean if there are any downstream files that are malicious - such as in this case.

by ttoinou

0 subcomment

I got some source code leaked and added a malware on top of it. Not sure what to do with it

by astronodev

0 subcomment

I uploaded several of these virus-infected archives to VirusTotal. In each archive, under the “Network Communication” section, the virus makes requests to three resources: a GET request to a website to retrieve IP information, a POST request to a Polygon RPC node (drpc), and a POST request to what appears to be the virus creator’s server. I can only assume that the scheme is designed to steal cryptocurrency.

by beej71

0 subcomment

I added keyoxide proofs everywhere. It's not really protection against victims using the wrong repo, but at least people who look can be certain that the person who controls my domain and website is the same person who controls that particular GitHub account.

by Teknomadix

0 subcomment

>The zip archive contains 4 files: Application.cmd or Launcher.cmd loader.exe or luajit.exe or another_name.exe random_name.cso or random_name.txt lua51.dll If you submit a link to the archive to VirusTotal, it will find 0 viruses. If you submit the zip file itself, it will detect a Trojan inside it.
MS Windows

by axus

0 subcomment

It will feel very spooky when they stop updating because of this essay .

by jslakro

0 subcomment

Any open source tool to scan a github repo before download/install it locally? I'm thinking of semgrep or socket.dev but I wonder if there's a better option

by GL26

0 subcomment

is it possible to ban them or report them ?

by fastcrw

1 subcomments

are there any ci/cd that controls them?

by schedpilot

1 subcomments

damn 10k ? thats a lot, how did you get them ?

by pydry

1 subcomments

Microsoft: and the one thing we absolutely refuse to use AI for is to flag this kind of bullshit to protect users, because it would violate the rule of "don't do anything actually useful with it".

by cyber-anderson

0 subcomment

[dead]

0 subcomment

by rambojohnson

1 subcomments

the en-ghettofication of american tech, down to its very open source control projects. a digital ghetto ill maintained if at all.

by siva7

0 subcomment

Hi Claude fable, why u not protecting me from malware? Am i not american enough? Not rich enough? Yieks..