mass github repo backdooring via CI workflows(Megalodon)

Posted by BattleRemote3157@reddit | programming | View on Reddit | 8 comments

automated campaign pushes over 5,700 malicious commits to 5,561 GitHub repositories in just six hours and the attacker using throwaway accounts with random names and forged commit authors like `build-bot`, `auto-ci`, `ci-bot`, and `pipeline-bot` all with messages like "ci: add build optimization step" or "chore: optimize pipeline runtime." Basically indistinguishable from routine CI noise.

Reply to Post

8 Comments

[-]

AndrewNeo@reddit

All the more reason to disallow pushing directly to master and require a pull request

[-]

Farlo1@reddit

This is the real meat of the issue, it’s insane to me that any “real” project would allow non-maintainers to push directly to the main branch. Seems like a case of bad defaults set by GitHub…

[-]

AmoebaDue6638@reddit

The commit message camouflage is the scariest part. Signing commits with GPG should be table stakes for any repo that runs CI on push, but almost nobody does it because the tooling friction is still too high.

[-]

programming-ModTeam@reddit

No content written mostly by an LLM. If you don't want to write it, we don't want to read it.

[-]

tobidope@reddit

Did you know that you can sign your commits with ssh keys? There is much less friction.

[-]

Key-Newspaper7368@reddit

was this bound to public repos? or both public and private? I dont see how its possible to bypass tokens to get into private repos

[-]

ScottContini@reddit

It would help the community if website SafeDep use the same format of csv file every time they publish a new set of packages that are compromised. That way I don’t need to write a new script every time they publish something new. I get it, beggars can’t be choosers, but I’d be more inclined to look at their product if they showed consistency.

[-]

qodeninja@reddit

ugh. I feel like this is an attack on open source in general. discourage people from sharing, standing up walled gardens and book clubs. it just doesnt end well