Malware Threatens Developers Using GitHub
For developers, GitHub is an essential tool for collaborating on software projects. It allows teams to work together to build new features and address bugs and issues, without affecting the main code until everything is ready to go. While GitHub has security measures in place to keep developers safe, there are new threats that make it all too easy to accidentally download malware from the service.
One of the key ways GitHub protects developers from bad actors and their malicious code is in its transparency. GitHub keeps a detailed record of everyone’s contributions to a project, including timestamps and identifiers. When you make a change to the repository (the main coding project), everyone knows you made that change, no doubt about it.
According to Cybersecurity Dive, this system is where attackers have focused their efforts. There is a new vulnerability that allows bad actors to mess with this GitHub metadata, making it possible to forge timestamps and identifiers. Malicious users can make it seem like a trusted user made a change at a certain time, when that user never made the change at all. The end goal, of course, is to trick users into downloading what appears to be legitimate code, but is in reality malware.
The ramifications for such a breach could be catastrophic. While this vulnerability can introduce malware into the systems of individuals working on projects through GitHub, it could also affect entire businesses depending on the threat level.
Unfortunately, it is apparently easy to spoof the identity of a trusted GitHub contributor. All you need is their email address: With that information, bad actors can enter the user’s username and email in the Git command line and change things, all the while identified by GitHub as the trusted user.
GitHub has a solution
Fortunately, there are strategies from GitHub to avoid this type of security issue. If users implement commit signature verification, they can cryptographically sign commits, which is a much more secure method of confirmation. Second, there’s vigilant mode, which shows the verifications status for each of the user’s commits. This transparency can help weed out the commits made by fraudulent users.
Cover photo by olia danilevich/Pexels