Dependabot impersonators cause trouble on GitHub

GitHub is experiencing issues of the “breached account and malicious code” variety. ITPro reports that unnamed individuals have been compromising accounts and using them to install malware capable of password theft. It’s a fairly elaborate scam which even includes imitation of GitHub’s popular Dependabot feature.

To make this scam work, attackers first obtained access tokens belonging to their targets. Once the attackers have control over the stolen accounts, they would change the alias for said accounts to “Dependabot[bot]” and begin making potentially dangerous code commits.

If you’re unfamiliar with the language of GitHub, don’t worry. GitHub is the place where developers can manage their project code. Bug tracking, software feature requests, task management, and wikis for each and every project are available to users.

When a developer is writing their code, they can eventually publish from their local workstation to GitHub’s staging directory. At this point, a “Commit” is made. The Commit is another way of saying “a snapshot”, a version of your project as it exists at a specific moment in time.

In this case, the attackers deploy malicious code into the projects they hijack. They then steal secrets from the compromised project and send it back to base. Additionally, existing JavaScript files already present in the project are tampered with to add malware. Said malware will attempt to steal passwords from form submissions and send them to the command and control server run by the attackers. Stolen tokens gave access to many private repositories so both public and private projects were impacted.

In terms of how the attackers initially got in, some accounts were found to have been taken over by stolen personal access tokens. As Bleeping Computer notes, these tokens allowed developers to access GitHub without having to make use of two-factor authentication (2FA) steps. 

With the tokens stored locally on the developer’s machine, it’s possible that someone hijacking the system could easily grab the tokens required to breach individual GitHub accounts. Whether this was achieved by malware, social engineering or phishing, nobody has the answers at time of writing.

The sneaky part of this escapade is the imitation of the previously mentioned Dependabot. This helpful addition to GitHub assists developers in keeping on top of their project and all associated dependencies tied to it. Dependabot automates dependency updating tasks which helps to keep security issues at bay.

What’s happening up above is that the attackers are disguising their bogus updates under the visage of Dependabot. If you’re on GitHub for any length of time, seeing Dependabot popping up in relation to an update is commonplace. As a result, seeing the imitation Dependabot on a page is going to fool quite a few people who will assume all is well.

While the imitation helper isn’t perfect and doesn’t replicate the real thing exactly, those behind this will still reap some rewards. If you’re wanting to be on the lookout for fake Dependabot posts, the most overt signifier of fake activity is the profile avatar. Dependabot has a square profile image and a “bot” tag. Regular accounts have a circular avatar and are also unable to properly replicate the bot tag signifier.

Fake commit attacks have been seen before using a variety of techniques, but imitating the bot helper is new. It’s also somewhat ironic to see a GitHub function dedicated to keeping things secure being imitated in a way which severely impacts the safety of platform users. It may be that GitHub makes the Dependabot even more distinctive than it already is to help ward off future similar attacks.

Stay safe out there!


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.