Our Repo Got More Than 100 GitHub Stars From Compromised Accounts

TL;DR

There is widespread npm supply chain attack taking place now, and your GitHub account might have been compromised. Check if your account has created new repos or has made commits you didn't. More info about the attack can be found here.

Unexpected GitHub Stars

Yesterday night I noticed that our repo got more than 100 stars in one day, and went from 330 to 440. This was very unexpected, because we haven't done anything to promote it recently. Initially, I thought that maybe someone saw it and shared it, but then I checked on the traffic and it hadn't increased at all from the previous days.

Users with weird behaviour

I told this to my co-maintainer, and we started looking at the users' profiles who starred the repo. After a few users we started noticing a pattern, either they had pinned repos with weird names or they had had made commits to repos where they changed the README.md file.

The explanation

Gitlab has published a report about the attack. They have explained it very well, but in a nutshell this is what is happening:

• An infected npm package is installed.

• During the installation, a modified package.json, which ends up installing a 10MB obfuscated file.

• Then the malware is searching for GitHub and other credentials in the compromised system.

• The malware is creating new repos using the stolen GitHub credentials, the repo has the description "Sha1-Hulud: The Second Coming.", which are served as storage for stolen credentials.

• Finally, the malware is looking for other repos with the same description in order to get other stolen credentials.

  Also, the malware is propagating itself by getting the npm packages that are maintained by the victim and adds the malicious file to the package and then publishes with a new version.

  It isn't so easy to stop it

  The report is saying that if an affected system loses access to both GitHub and npm then it starts a destruction on the compromised system. This means that GitHub can't mass delete the malware's repos.

  Summary

  In your system you can check for indications of compromise, which are listed here.

  Unfortunately, our repo didn't become viral but our accounts are safe. Have a look at your accounts and repos and see if are affected.

  I am hoping the next 100 stars to our remote pair programming app will be organic and not fake.

  I have reached out to as many people as I could to inform them that their account might have been affected.

  As always this post was 100% manually typed.