in Github revealed the activity on the mass creation of forks and clones of popular projects, with the introduction in a copy of harmful changes, including the backdor. Search named Host (OVZ1.j1954519.Pr46M.VPS.Myjino.ru), to which the malicious code is being addressed, showed the presence of more than 35 thousand changes present in clones and forks of various repositories, including forks of projects Crypto, Golang, Python, JS, Bash, Docker and K8S.
The attack is aimed that the user will not track the original and will use the main project with an fork or clone with a slightly different name instead of the repository of the main project. Currently, GitHub has already deleted most of the forks with a malicious insert. Users who come to GitHub from search engines recommends to carefully check the relationship of the repository with the main project before using code from it.
The added malicious code sent the contents of the environment variables to the external server with the calculation of the theft of tokens to the AWS and continuous integration systems. In addition, Backdor was integrated into the code, launching Shell team, returned after sending a request to the attackers server. Most malicious changes were added from 6 to 20 days ago, but there are individual repositories in which malicious code can be traced since 2015.