- A newly discovered vulnerability in the open source community allows threat actors to trick developers into downloading potentially malicious code on GitHub, according to research published Friday by Checkmarx.
- By spoofing and forging metadata on GitHub, malicious actors can falsify the timestamp and identity of the user responsible for a specific change to a repository. This tactic can make malicious code appear reputable from a trusted source, the application security testing company warned.
- Unverified commits to open source code poses a serious threat. Developers and enterprises could introduce malicious code into their systems by using a suspicious repository.
This software supply chain attack technique exploits the trustworthiness and reputation commonly associated with frequent GitHub contributors and the repositories they maintain.
Developers are more likely to choose open source projects associated with an owner that has a track record of activity going back years. GitHub provides this commit data in activity graphs on the user’s profile page, but these data points can be easily manipulated, Yehuda Gelb, security researcher at Checkmarx, said in a video on Checkmarx’ blog.
Malicious actors can fabricate many commits and, because this activity is displayed on GitHub in public and private repositories, it’s effectively impossible to authenticate the veracity of commits, according to Checkmarx.
Threat actors can push a commit on behalf of a reputable GitHub user by spoofing the username and email address. If this tactic is repeated multiple times to populate a user’s repository section, the project will appear trustworthy to many developers.
Spoofing the identity of a reputable contributor is a relatively simple process on GitHub, according to Checkmarx. Once a malicious actor knows the user’s email address, they can set the username and email in the Git command line and commit changes on the user’s behalf. GitHub has not yet responded to Cybersecurity Dive’s request for comment.
GitHub provides a pair of features that developers can use to mitigate the risk of falling for spoofed contributors or falsified commits. Both require active involvement from creators.
Commit signature verification allows contributors to cryptographically sign commits, adding a layer of verification for developers to measure repositories against. Developers can also enable vigilant mode, which displays the verification status of all of the user’s commits, making it easier for potential users to spot impersonation attempts.