The Ultimate Guide to Non-Human Identities Report Now Available

GitHub Dependabot Breach

NHI Mgmt Group

Overview

In July 2023, a sophisticated cyberattack shook the developer community, targeting GitHub repositories at an unprecedented scale. Threat actors exploited stolen GitHub personal access tokens to inject malicious code into hundreds of repositories, masquerading the commits as legitimate contributions by Dependabot, a widely used automated dependency management tool. This tactic not only disguised their activity but also leveraged the trust developers place in automation.

What Happened?

In July 2023, the monitoring systems detected a wave of commits to hundreds of GitHub repositories. These commits, falsely appearing to originate from Dependabot, contained malicious code. The commit messages were carefully crafted by threat actors to mimic legitimate automated contributions, an attempt to obscure their malicious activities.

Upon investigation and discussions with several compromised victims, it was confirmed that attackers had stolen the victims’ GitHub personal access tokens. These stolen tokens were then used to introduce the malicious code into the affected repositories. The attack had several alarming impacts:

  • Exfiltration of Secrets: The malicious code was designed to extract project-defined secrets and send them to a Command-and-Control (C2) server operated by the attackers.

  • Injection of Password-Stealer Malware: The attackers modified existing JavaScript files in the compromised repositories, embedding malware that captured passwords submitted through web forms. This affected any end-user interacting with the compromised web applications.

Impact on Private Repositories: Some of the stolen GitHub tokens had permissions to access private organizational repositories, broadening the scope of the attack.

How Did This Happen?

Despite GitHub’s recent enforcement of mandatory two-factor authentication (2FA), attackers successfully gained unauthorized access to victim accounts in this sophisticated breach. Here’s a step-by-step breakdown of how the attack unfolded:

  1. Token Exposure - Developers typically configure their development environments with personal access tokens (PATs), SSH keys, or GPG keys to authenticate Git operations. These tokens are stored locally on their machines and, unlike standard login credentials, do not require 2FA. While convenient, PATs become a vulnerability if exposed, as they grant full account access from any internet-connected device.

  2. Credential Exfiltration via Malicious Packages - The attackers likely infiltrated victims' development environments through malicious means. Evidence suggests the use of malicious open-source packages designed to exfiltrate sensitive information, including PATs, to the attackers' Command-and-Control (C2) servers. Once stolen, these tokens enabled the attackers to bypass 2FA and seamlessly impersonate the victims.

  3. Repository Compromise and Code Injection - With the stolen tokens in hand, the attackers authenticated to GitHub and modified the victims' repositories. They introduced malicious code designed to exfiltrate secrets and inject password-stealing malware into JavaScript files. Analysis of the attack shows it was highly automated, targeting multiple repositories with surgical precision.

How To Prevent Similar Incidents?

To prevent similar incidents, developers and organizations should adopt these best practices:

  1. Implement Manual Reviews - Even for automated PRs, implement a mandatory code review process. Ensure that updates, especially from third-party libraries, are examined before merging.

  2. Use Dependency Scanners - Pair Dependabot with dependency scanners like Snyk or OWASP Dependency-Check, which analyze the security posture of libraries and flag known vulnerabilities.

  3. Lock Dependency Versions - Use tools like lockfiles to fix dependency versions, ensuring you’re not inadvertently pulling malicious updates.

  4. Monitor Open-Source Libraries - Keep an eye on the libraries you rely on, especially for critical projects. Subscribe to security mailing lists or updates from maintainers to stay informed.

  5. Use Sandboxing and Testing - Always test dependency updates in isolated environments before deploying them to production. This approach can help detect unusual behavior introduced by malicious updates.

Conclusion

The Dependabot malicious code incident is a wake-up call for the software development community. While automation remains a powerful ally, it is not flawless. Balancing efficiency with security requires a proactive approach, combining vigilant reviews, robust tools, and ecosystem-wide collaboration.

As the open-source environment continues to evolve, so too must our strategies to protect it. Let this incident serve as a reminder that security is everyone’s responsibility, from developers and maintainers to platform leaders.

About Contact Glossary

Terms & Conditions Privacy policy

Non-Human Identity Mgmt Group

The Non-Human Identity Management Group is the #1 Authority for research and education on Non-Human Identity risks. We provide Independent guidance and expert advice to organizations, helping them understand, manage and secure these huge risks effectively.

Subscribe to our Newsletter

Subscribe

© 2024