27 September 2023

Hackers spoof GitHub’s Dependabot to steal passwords


Hackers spoof GitHub’s Dependabot to steal passwords

Hundreds of GitHub repositories have been targeted in a new campaign involving malicious code masked as Dependabot contributions designed to infect victims with information-stealing malware.

The campaign was uncovered by researchers at software security company Checkmarx in July 2023, when they spotted unusual commits for hundreds of GitHub accounts contributed by Dependabot that contained malicious code.

Dependabot is a feature that aids in the automatic upgrading of applications. It analyzes the files in the application, identifies outdated requirements, and opens new pull requests if there are any missing or out-of-date dependencies.

According to the researchers, the malicious code exfiltrates the GitHub project’s secrets and sends them to a command-and-control (C&C) server. It then modifies any existing javascript files in the targeted project with malware that steals passwords from a submitted web form.

The attack begins with the threat actor somehow obtaining victims’ GitHub personal access tokens. It’s unclear, how exactly the attacker steals tokens, possibly, it may be due to a malicious open-source package installed on their computer, the researchers said.

Next, the threat actor uses automated scripts to create fake commit messages titled “fix” that appear to be by the user account “dependabot[bot].”

“This is the first incident we witnessed a threat actor using fake git commits to disguise activity, knowing that many developers do not check the actual changes of dependabot when they see it,” Checkmarx noted. “Sadly, GitHub’s personal access tokens access log activity is only visible for the enterprise accounts. If your token was compromised, you can’t know for sure since this information is not visible for non-enterprise users in the audit log section.”

“The attacker's Tactics, Techniques, and Procedures (TTPs) involve the use of fake commits, stealing user credentials, and impersonating Dependabot to avoid detection show us supply chain attacks are getting more sophisticated as attackers realize it doesn’t take much to move silently,” the researchers added.

Back to the list

Latest Posts

Cyber Security Week in Review: May 24, 2024

Cyber Security Week in Review: May 24, 2024

In brief: Google fixes Chrome zero-day, a backdoor found in JAVS software, and more.
24 May 2024
Chinese APTs increasingly using ORB networks to mask attack infrastructure

Chinese APTs increasingly using ORB networks to mask attack infrastructure

Mandiant reports that it is actively monitoring several ORB networks, with the most notable being SPACEHOP and FLORAHOX.
23 May 2024
Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Ghostengine deploys several modules to tamper with security tools, establish a backdoor, and ensure software updates are in place.
22 May 2024