Hundreds of GitHub repositories have been targeted in a new campaign involving malicious code masked as Dependabot contributions designed to infect victims with information-stealing malware.
The campaign was uncovered by researchers at software security company Checkmarx in July 2023, when they spotted unusual commits for hundreds of GitHub accounts contributed by Dependabot that contained malicious code.
Dependabot is a feature that aids in the automatic upgrading of applications. It analyzes the files in the application, identifies outdated requirements, and opens new pull requests if there are any missing or out-of-date dependencies.
The attack begins with the threat actor somehow obtaining victims’ GitHub personal access tokens. It’s unclear, how exactly the attacker steals tokens, possibly, it may be due to a malicious open-source package installed on their computer, the researchers said.
Next, the threat actor uses automated scripts to create fake commit messages titled “fix” that appear to be by the user account “dependabot[bot].”
“This is the first incident we witnessed a threat actor using fake git commits to disguise activity, knowing that many developers do not check the actual changes of dependabot when they see it,” Checkmarx noted. “Sadly, GitHub’s personal access tokens access log activity is only visible for the enterprise accounts. If your token was compromised, you can’t know for sure since this information is not visible for non-enterprise users in the audit log section.”
“The attacker's Tactics, Techniques, and Procedures (TTPs) involve the use of fake commits, stealing user credentials, and impersonating Dependabot to avoid detection show us supply chain attacks are getting more sophisticated as attackers realize it doesn’t take much to move silently,” the researchers added.