Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Security News
Sarah Gooding
August 29, 2024
If you’re seeing a lot more spam on your open source repositories this week, you’re not alone. GitHub users are reporting a new influx of spambots hitting their issues with comments that link to malicious executables.
This unorthodox spamming strategy feels like a throwback to earlier internet days. The bots are hijacking existing GitHub issues and slipping in links that lead to malicious downloads from MediaFire—a file-sharing site that was popular over a decade ago. The irony of using such an outdated platform to spread malicious downloads adds a bizarre, almost nostalgic angle to the scheme.
Robert Chisholm, a research software engineer at the University of Sheffield, is one of many developers who have posted to social media platforms about this unexpected blend of old-school tactics with modern cybersecurity threats disguised as technical responses to issues.
“New issue, and 3 replies from 4 uniquely unknown users in the space of 10 minutes,” Sheffield reported. “All 3 replies saying to download some archive from mediafire and install something...
"To GitHub's credit the first and third of those replies were seemingly instantly deleted. Weren't present on the issue when I opened it.”
The spam is more than a nuisance; it poses a serious security risk. By luring unsuspecting users into downloading malicious files, these spambots can compromise systems, steal sensitive data, and spread malware. The spam comments also land in email inboxes for those with email notifications turned on.
Once a user is compromised, the malware reportedly hijacks GitHub accounts to post the same spam to repos that the user has starred or bookmarked. One developer grabbed from MediaFire to file to analyze and found that it is a Lumma Stealer per Triage.
GitHub is responding and many of these comments on issues are being deleted (both manually by the repository owners and also by GitHub moderation) but the spam is still ongoing. Thousands of the issues with this spam campaign have been closed and 834 still remain open at the time of publishing.
This incident highlights the urgent need for GitHub to implement stronger spam prevention measures and for users to exercise caution when interacting with unsolicited comments.
This isn’t the first time open source projects have been targeted with a widespread spam campaign, and it won’t be the last. This particular instance has renewed maintainers’ requests for GitHub to add better moderation tools that would help manage the influx of unsolicited and unwanted comments on issues.
“It's significant work for what should be a builtin feature, and it can only catch problematic comments after they're posted and notified the whole world,” OSS maintainer Rémi Verschelde commented on the suggestion of the creation of a GitHub bot/app to handle spam comments.
“They can declutter the issues/PRs, but people will still have been notified with spam content.”
As the result of this campaign, developer Martin Leduc took matters into his own hands and created a GitHub action that filters comments for suspicious content. Leduc said the action will normally be fast enough to change the content of the comment before it gets picked up by the GitHub background job in charge of sending the email notification, and published a demo.
“It shouldn't be the job of OSS maintainers to prevent this malware spamming, but until GitHub figures out something to make it stop, I've made a small automated action that removes suspicious links from issue-comments,” Leduc said.
GitHub users are frustrated with the complicated process for reporting the spam, and others were not aware of what channels could be used to bring this to GitHub’s attention.
Users commented that reporting these comments is “a slog” due to GitHub’s CAPTCHA, after seeing the exact same comment posted five times on the same issue in the span of one minute.
For maintainers, whose time and resources are already stretched thin, combating spam is a significant drain on productivity. This kind of spam not only disrupts project discussions but also consumes valuable time that maintainers could otherwise spend on development. This recent spam campaign, which has serious security implications, spotlights the critical need for OSS maintainers to have better moderation tools and a more streamlined reporting mechanism for abuse.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.