GitHub flaw tricks developers into downloading malicious code

Security researchers at Checkmarx have uncovered a software supply chain attack technique that tricks developers into downloading malicious code on GitHub.

Threat actors can carry out their nefarious activities by spoofing and forging data on GitHub. Using this technique, attackers are able to falsify the timestamp and identity of the user responsible for a particular change to a repository.

The researchers said the attackers capitalize on the trustworthiness and reputation commonly associated with frequent GitHub contributors and their repositories.

GitHub provides commit data from developers with years of experience in activity, and the commit data in the activity graph is made available on the user’s profile page, making it easier for developers to select their preferred open source projects.

However, this data provided by GitHub can be manipulated by threat actors by fabricating many commits. Checkmarx explained that it is virtually impossible to verify the authenticity of commits because such activities on GitHub are displayed in public and private repositories.

Forging a reputable contributor’s data is simple and essentially involves the attacker knowing the user’s email address, then setting the username and email address on the Git command line and making changes on the user’s behalf.

The sources for this piece include an article in CIODIVE.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web