News

Malware Threatens Developers Using GitHub

For developers, GitHub is an essential tool for collaborating on software projects. It allows teams to work together to build new features and address bugs and issues, without affecting the main code until everything is ready to go. While GitHub has security measures in place to keep developers safe, there are new threats that make it all too easy to
July 18, 2022
 / 
meritsolutions
 / 
Leave a Comment
 / 
Image

For developers, GitHub is an essential tool for collaborating on software projects. It allows teams to work together to build new features and address bugs and issues, without affecting the main code until everything is ready to go. While GitHub has security measures in place to keep developers safe, there are new threats that make it all too easy to accidentally download malware from the service.

One of the key ways GitHub protects developers from bad actors and their malicious code is in its transparency. GitHub keeps a detailed record of everyone’s contributions to a project, including timestamps and identifiers. When you make a change to the repository (the main coding project), everyone knows you made that change, no doubt about it.

According to Cybersecurity Dive, this system is where attackers have focused their efforts. There is a new vulnerability that allows bad actors to mess with this GitHub metadata, making it possible to forge timestamps and identifiers. Malicious users can make it seem like a trusted user made a change at a certain time, when that user never made the change at all. The end goal, of course, is to trick users into downloading what appears to be legitimate code, but is in reality malware.

The ramifications for such a breach could be catastrophic. While this vulnerability can introduce malware into the systems of individuals working on projects through GitHub, it could also affect entire businesses depending on the threat level.

Unfortunately, it is apparently easy to spoof the identity of a trusted GitHub contributor. All you need is their email address: With that information, bad actors can enter the user’s username and email in the Git command line and change things, all the while identified by GitHub as the trusted user.

GitHub has a solution

Fortunately, there are strategies from GitHub to avoid this type of security issue. If users implement commit signature verification, they can cryptographically sign commits, which is a much more secure method of confirmation. Second, there’s vigilant mode, which shows the verifications status for each of the user’s commits. This transparency can help weed out the commits made by fraudulent users.

Cover photo by olia danilevich/Pexels

Share This

Leave a Reply

More Articles

Featured image for “You Should Check Which Apps on Your Smartphone Are Using Your Location”
Apr. 23, 2024

You Should Check Which Apps on Your Smartphone Are Using Your Location

Featured image for “Protect Your Privacy By Forwarding Your Emails Through a Decoy Account”
Apr. 23, 2024

Protect Your Privacy By Forwarding Your Emails Through a Decoy Account

Featured image for “Don’t Send Important Business Information Over SMS”
Apr. 16, 2024

Don’t Send Important Business Information Over SMS

Featured image for “How Following Cybersecurity Best Practices Keeps Your Accounts Safe”
Apr. 16, 2024

How Following Cybersecurity Best Practices Keeps Your Accounts Safe

Featured image for “Do You Know What’s in That Browser Extension?”
Apr. 09, 2024

Do You Know What’s in That Browser Extension?

View All

Sign Up for weekly MERIT Security Briefing

By signing up, you agree to our Privacy Policy.