The company Apiiro, based in Israel and the USA, reports in detail in a blog post about a scam to spread malware that it has observed for months. At peak times, this resulted in 100,000 contaminated repositories on the popular code platform GitHub – the number grew so quickly that GitHub couldn't keep up with the deletion.
Advertisement
The trick that those behind this scam use is simple: they clone the repository of a popular project, infuse it with malicious code and use it to populate thousands of repository clones. By then introducing these into the Python Package Index (PyPI) and promoting them in various forums and social media channels, inexperienced developers in search of suitable libraries stumble upon them and incorporate them into their projects.
BlackCap-Grabber steals data
The malicious code contained in it, which travels as a hidden payload and which Apiiro calls the “BlackCap grabber”, is then intended to collect login data, cookies and other confidential information and transmit it to the command and control servers of the people behind it. The scam's discoverers report that GitHub quickly deletes most automatically created fake repositories, but some, particularly manually created ones, are also overlooked.
According to Apiiro, packages listed in the Python Package Directory (PyPI) that referenced forks of GitHub repositories were noticed for the first time in May 2023. Since then, attackers have been trying to distribute manipulated software directly via GitHub, the report continues. In the meantime, they should focus more on niche projects and rely on developers being too trusting in incorporating third-party code into their projects.
It's no big surprise that Apiiro, of all people, is reporting on these machinations: The company mainly deals with the security of software development for cloud services with a particular focus on monitoring supply chains and parts lists. The security of package repositories has been discussed for a long time.
(ps)