GitHub Repos Bombarded By Info-Stealing Commits Masked as Dependabot

Cyber Security Threat Summary:
Hackers are breaching GitHub accounts and inserting malicious code disguised as Dependabot contributions to steal authentication secrets and passwords from developers. The campaign unfolded in July 2023, when researchers discovered unusual commits on hundreds of public and private repositories forged to appear as Dependabot commits. Dependabot is an automated tool provided by GitHub that scans projects for vulnerable dependencies and then automatically issues pull requests to install the updated versions. As reported today by Checkmarx, these fake Dependabot contributions were made possible using stolen GitHub access tokens with the attackers' goal of injecting malicious code to steal the project's secrets” (Bleeping Computer, 2023).

The GitHub accounts are being compromised using victims’ personal access tokens (PAT). Once the account is compromised, the actors will create a commit, which is typically a message that is added to repositories to identify changes made to a project. In this case, the threat actors are creating fake commit messages titled “fix” that appear to be added by the user account “dependabot[bot]. Taking a closer look, these commits introduce malicious code into the project that performs the following two actions:

  • Extract secrets from the targeted GitHub project and send them to the attacker's command and control server. The secrets exfiltration is achieved by adding the GitHub action file "hook.yml" as a new workflow triggered on every code push event on the impacted repository.
  • Modify existing JavaScript files in the breached repository to add malware that steals passwords from web-form submissions and sends them to the same C2 address.
Security Officer Comments:
With personal access tokens being obtained, the actors can further gain access to private repositories. It’s unclear how these developer tokens are being compromised. However, this could have been achieved through a malware infection, with the actors delivering malicious packages to targeted devices, further allowing the actors to exfiltrate the tokens to a remote C2 server. Researchers note that PAT access log activity is only visible for enterprise accounts. As such, non-enterprise users won’t know for sure if their token has been compromised.

Suggested Correction(s):
A proposed measure to defend against these attacks is to switch to GitHub's fine-grained personal access tokens, which limits each user to specific permissions, hence reducing risks in case of compromise.