GitHub Targeted by Massive Repository Spoofing Attack, Posing Threat to Developers

GitHub has been inundated with malicious repositories for months as part of a so-called dependency confusion attack, as reported by security researchers from security company Apiiro. Legitimate repositories are being counterfeited and filled with malicious code.

Cybercriminals are cloning existing repositories, adding malware loaders, and posting them on GitHub under a name identical to the legitimate version. Through an automated process, the repository is forked thousands of times, with numerous forks appearing with names identical to the original project, as discovered by the security company Apiiro. The cybercriminals are hoping that developers will mistakenly download this rogue version instead of the real one, spreading malware that may steal passwords or cryptocurrency.

According to Apiiro, the attack has been ongoing since May of last year, although the tactics have slightly changed over time. In May of last year, packages were uploaded to PyPI and then placed into forks of popular GitHub repositories via calls. After PyPI removed these packages, criminals started directly uploading rogue repositories to GitHub. Since November, at least 100,000 repositories have been counterfeited, but researchers estimate that the actual number may be in the millions.

Some of the created forks will be removed soon. GitHub can identify when forks are automatically created and takes them offline. However, many repositories are still being missed by GitHub, according to Apiiro. Additionally, some repositories are manually created, evading detection. The researchers note that due to the large scale of the attack and its automated nature, "the 1 percent that survives detection still equates to thousands of rogue repositories."

GitHub has not refuted Apiiro's assessment in response to Ars Technica, but has declined further questions from the American publication. In a statement, the platform expressed its dedication to providing a secure platform for developers, with teams that work to detect, analyze, and remove content that violates its terms. This is achieved through both manual checks and machine learning. GitHub also encourages community members and customers to report any abuse or spam they encounter.