July 19, 2022

Security researchers at Checkmarx have uncovered a software supply chain attack technique that tricks developers into downloading malicious code on GitHub.

Threat actors can carry out their nefarious activities by spoofing and forging data on GitHub. Using this technique, attackers are able to falsify the timestamp and identity of the user responsible for a particular change to a repository.

The researchers said the attackers capitalize on the trustworthiness and reputation commonly associated with frequent GitHub contributors and their repositories.

GitHub provides commit data from developers with years of experience in activity, and the commit data in the activity graph is made available on the user’s profile page, making it easier for developers to select their preferred open source projects.

However, this data provided by GitHub can be manipulated by threat actors by fabricating many commits. Checkmarx explained that it is virtually impossible to verify the authenticity of commits because such activities on GitHub are displayed in public and private repositories.

Forging a reputable contributor’s data is simple and essentially involves the attacker knowing the user’s email address, then setting the username and email address on the Git command line and making changes on the user’s behalf.

The sources for this piece include an article in CIODIVE.