I uploaded several of these virus-infected archives to VirusTotal. In each archive, under the “Network Communication” section, the virus makes requests to three resources: a GET request to a website to retrieve IP information, a POST request to a Polygon RPC node (drpc), and a POST request to what appears to be the virus creator’s server. I can only assume that the scheme is designed to steal cryptocurrency.
> Another month later, GitHub support sent me an email saying that they had removed these repositories.
I recently discovered a campaign where somebody was forking very small but useful codebases, and replacing the distributable with some malware, and making the repository have better SEO with changes to the README. My case was a simple macOS application that could be used to control some Phillips LED light strip.
I reported it to GitHub and it was removed within 24 hours.
I discovered another repository like this, and they still haven't replied since (one month).
No clue how their malware reports work. I'm surprised they don't partner with some antivirus company to at least scan "releases" for malware (not repositories themselves)
It happened a few times to me that I'd find some very well constructed scam scheme (cryptocurrency washing systems, web platform/phishing scams), then I'd research deeper into it to see how it worked, just to ultimately feel powerless not knowing what to do with the information.
It's a matter of how much effort you want to put in, and what you get out of it.
Years ago, a friend of mine fell victim to a romance scam. Damage ~€3k. It involved fake websites of non-existing logistics companies, a fake banking site where victim could 'help' a person 'transfer funds' for them, a long chat history (over Viber or something like that, initiated through Facebook), etc.
This being a good friend, I put in some legwork, saved local copies of sites, etc. Some findings:
# It's easy to find copies of sites of the one(s) used to defraud victim. In this case, ~50. And compile a list, what's the hoster of each & where domains are registered.
# Fake banking sites are easy to determine since legitimate banks are recorded in per-country registries. Legitimate: website's security certificate (extended validation etc) indicates [bank_X], bank_X listed as such in registry of country it operates in. Not? -> fake.
For non-banking fake sites it's more difficult to tell.
# Hosting companies & domain registrars do take action. As long as you provide correct & detailed info, in such a way that it's easy for them to act on. Professional companies don't like having legal / financial liabilities sit around.
# If there's security certificates involved, informing issuer of that can remove "secure connection" from a whole batch of sites in 1 go. Makes it harder to convince future victims. (no lock icon on a banking site?!?)
# An official request could be filed with this victim's bank (passed on to recipient's bank), that would give holder of recipient account 2 options: a) return the funds, or b) have their personal details revealed to victim - for use in legal proceedings etc.
This was within EU area. Likely, recipient would be a money mule & not respond. But then you'd get money mule's full name/contact info etc (home address?)
# Police / fraud orgs etc rarely have time for this. You need to do the legwork yourself.
Ultimately, my friend decided not to pursue the matter. But in the mean time, I had caused >2/3 of those fake sites to be deleted (and all the fake banking sites I'd found), and some security certificates to be revoked. Obviously that disrupts scammer's operations to some degree (and costs them time, $$, potential victims dropped etc). So it's not like you can't do anything.
I have to say, the principle that open-source software can't do anything nefarious because the source is open just hasn't held up for a lot of reasons -- including that nobody has the time to inspect the code, let alone ensure that it matches the binaries; and also that GitHub has become a distribution hub for software used by lots of people with no ability or interest in auditing the software they use.
this issue was found specifically because these things are open source.
the ethos of open source is that bugs and malicious code are more likely to be spotted.
we’re discussing this on hn right now strictly because the code is open, the abusive code was found because it is open.
abusive people will make abusive software. the problem lies in the fact that despite absolutely having the resources, microsoft won’t do anything about it, not in the fact that we can see the abuse.
People need to do their due diligence when including open-source software and packages not just when they first use them but anytime you have a need to upgrade them. I highly doubt I'm the first one to think of this, but there really aught to be tool or comprehensive set of tools that routinely scan open-source software and packages for potentially malicious code and alert users of the problem(s).
> I typed the project name into Google, and my repository appeared in the results. I entered the same query into Bing, and someone else’s repository appeared in the results
Side story, this kind of thing is what made me stop using Bing.
I had been using it as the default for searches (it sucks, but it's at least not Google), until I landed on a phishing page for my bank (I haven't committed it to memory yet). The page was a near perfect copy, and I would easily have gotten pwnd by it if they didn't have a modal asking me to run some code in my terminal for "security activation" that made me go "that's a little odd... Is this the right address OH SHIT that's a .ru domain"
I never see Google return phishing pages or typo squatters in the first page. Bing constantly returns that stuff in the first several results.
Microsoft: and the one thing we absolutely refuse to use AI for is to flag this kind of bullshit to protect users, because it would violate the rule of "don't do anything actually useful with it".
> Why do they delete a commit and push a new one every few hours?
May be to make it appear on the top of the "Last Updated" repositories in case someone searches for the repo or a keyword. So instead of the author's actual repo, the users endup cloning the trojan infected one.
- This is a new repository, not a fork
- All repositories have different contributors and different names
From the last two points, it becomes clear that even if we find one such repository, we won’t be able to find other similar repositories using it.
In previous campaigns the repositories were linked to a few users. But those users had starred other users, that at the same time had also cloned other repositories with the malware. Sometimes the malicious repository had been cloned from another malicious repo, and if you listed the repositories and "friends" of that user, all were part of the botnet.
Also, github doesn't delete repositories and accounts, they mark them as deleted. If you use their api you can still list them.
>The zip archive contains 4 files: Application.cmd or Launcher.cmd loader.exe or luajit.exe or another_name.exe random_name.cso or random_name.txt
lua51.dll If you submit a link to the archive to VirusTotal, it will find 0 viruses. If you submit the zip file itself, it will detect a Trojan inside it.
Any open source tool to scan a github repo before download/install it locally? I'm thinking of semgrep or socket.dev but I wonder if there's a better option
I added keyoxide proofs everywhere. It's not really protection against victims using the wrong repo, but at least people who look can be certain that the person who controls my domain and website is the same person who controls that particular GitHub account.
Being reminded of this anecdote from NYMag's recent cover story (which had previously been reported in a WSJ story[0]) about a Disney engineer who downloaded an AI-gen tool from Github and "checked the code himself, it had looked legitimate":
> He had no idea why the hackers had targeted him or what their plan was, whether they would drain his family’s finances or stalk his home. Eventually, after running another anti-virus program, he found a piece of malware hidden in a plug-in he had downloaded from GitHub, the open-source coding site, one day in February when he was messing around with an AI image generator. He had checked the code himself, it had looked legitimate, and others had reviewed it positively. But it seems it contained a Trojan-horse virus that gave the hackers free rein of his PC. Once inside, they just had to wait for Van Andel to log in to 1Password. From there, they were able to steal all his credentials, plus many of his multifactor-authentication codes, so every time Van Andel logged in to an app, a website, or an account, they could follow behind him. They’d had access for months.
A password manager is a single point of failure and should be avoided. I've heard other sad stories about someone who's pw manager was compromised and they lost everything.
This is a failure of malware flagging systems as well - VT should not return clean if there are any downstream files that are malicious - such as in this case.
> Why do they only clone new repositories, rather than popular ones?
> Why do they delete a commit and push a new one every few hours?
Because this is not targetted to humans. It's targetted to agents. They just need to appear on a fraction of the searches agents do to add dependencies and get lucky a couple times to start a new infection cluster.
Then to the more interesting question: why now?
1. Agents, agents everywhere.
2. MAJOR elections happening this year in the World, including US midterms and Brazilian mains. This appears to be an account-stealer worm - and my guess is it's looking to all those sweet sweet Facebook/Instagram/Tiktok/Whatsapp accounts ready to bot their way into oblivion.
65 comments
[ 1.2 ms ] story [ 13.0 ms ] threadI recently discovered a campaign where somebody was forking very small but useful codebases, and replacing the distributable with some malware, and making the repository have better SEO with changes to the README. My case was a simple macOS application that could be used to control some Phillips LED light strip.
I reported it to GitHub and it was removed within 24 hours.
I discovered another repository like this, and they still haven't replied since (one month).
No clue how their malware reports work. I'm surprised they don't partner with some antivirus company to at least scan "releases" for malware (not repositories themselves)
Years ago, a friend of mine fell victim to a romance scam. Damage ~€3k. It involved fake websites of non-existing logistics companies, a fake banking site where victim could 'help' a person 'transfer funds' for them, a long chat history (over Viber or something like that, initiated through Facebook), etc.
This being a good friend, I put in some legwork, saved local copies of sites, etc. Some findings:
# It's easy to find copies of sites of the one(s) used to defraud victim. In this case, ~50. And compile a list, what's the hoster of each & where domains are registered.
# Fake banking sites are easy to determine since legitimate banks are recorded in per-country registries. Legitimate: website's security certificate (extended validation etc) indicates [bank_X], bank_X listed as such in registry of country it operates in. Not? -> fake.
For non-banking fake sites it's more difficult to tell.
# Hosting companies & domain registrars do take action. As long as you provide correct & detailed info, in such a way that it's easy for them to act on. Professional companies don't like having legal / financial liabilities sit around.
# If there's security certificates involved, informing issuer of that can remove "secure connection" from a whole batch of sites in 1 go. Makes it harder to convince future victims. (no lock icon on a banking site?!?)
# An official request could be filed with this victim's bank (passed on to recipient's bank), that would give holder of recipient account 2 options: a) return the funds, or b) have their personal details revealed to victim - for use in legal proceedings etc.
This was within EU area. Likely, recipient would be a money mule & not respond. But then you'd get money mule's full name/contact info etc (home address?)
# Police / fraud orgs etc rarely have time for this. You need to do the legwork yourself.
Ultimately, my friend decided not to pursue the matter. But in the mean time, I had caused >2/3 of those fake sites to be deleted (and all the fake banking sites I'd found), and some security certificates to be revoked. Obviously that disrupts scammer's operations to some degree (and costs them time, $$, potential victims dropped etc). So it's not like you can't do anything.
Virustotal link: https://www.virustotal.com/gui/file/fdb6cff68a2a8c08779d64a7...
the ethos of open source is that bugs and malicious code are more likely to be spotted.
we’re discussing this on hn right now strictly because the code is open, the abusive code was found because it is open.
abusive people will make abusive software. the problem lies in the fact that despite absolutely having the resources, microsoft won’t do anything about it, not in the fact that we can see the abuse.
the problem is microsoft, yet again.
Side story, this kind of thing is what made me stop using Bing.
I had been using it as the default for searches (it sucks, but it's at least not Google), until I landed on a phishing page for my bank (I haven't committed it to memory yet). The page was a near perfect copy, and I would easily have gotten pwnd by it if they didn't have a modal asking me to run some code in my terminal for "security activation" that made me go "that's a little odd... Is this the right address OH SHIT that's a .ru domain"
I never see Google return phishing pages or typo squatters in the first page. Bing constantly returns that stuff in the first several results.
May be to make it appear on the top of the "Last Updated" repositories in case someone searches for the repo or a keyword. So instead of the author's actual repo, the users endup cloning the trojan infected one.
Also, github doesn't delete repositories and accounts, they mark them as deleted. If you use their api you can still list them.
MS Windows
https://archive.is/yAUNy
> He had no idea why the hackers had targeted him or what their plan was, whether they would drain his family’s finances or stalk his home. Eventually, after running another anti-virus program, he found a piece of malware hidden in a plug-in he had downloaded from GitHub, the open-source coding site, one day in February when he was messing around with an AI image generator. He had checked the code himself, it had looked legitimate, and others had reviewed it positively. But it seems it contained a Trojan-horse virus that gave the hackers free rein of his PC. Once inside, they just had to wait for Van Andel to log in to 1Password. From there, they were able to steal all his credentials, plus many of his multifactor-authentication codes, so every time Van Andel logged in to an app, a website, or an account, they could follow behind him. They’d had access for months.
[0] https://www.wsj.com/tech/cybersecurity/disney-employee-ai-to...
The title is "nulled WHMCS" and it's a full copy of that software with copy protection removed. It couldn't be more cut and dried.
The repo is still there 2+ years later and GitHub has taken no action.
If GitHub can't respond to tickets pointing out obvious pirated software, I don't think they care about anything anyone puts up.
Because this is not targetted to humans. It's targetted to agents. They just need to appear on a fraction of the searches agents do to add dependencies and get lucky a couple times to start a new infection cluster.
Then to the more interesting question: why now?
1. Agents, agents everywhere.
2. MAJOR elections happening this year in the World, including US midterms and Brazilian mains. This appears to be an account-stealer worm - and my guess is it's looking to all those sweet sweet Facebook/Instagram/Tiktok/Whatsapp accounts ready to bot their way into oblivion.