| ▲ | mkeeter 6 hours ago |
| A repository search shows 2.2K repos with the text "A Mini Shai-Hulud has Appeared", all created within the past day: https://github.com/search?q=A%20Mini%20Shai-Hulud%20has%20Ap... |
|
| ▲ | rhdunn 6 hours ago | parent | next [-] |
| The repository names all look like two terms/words from dune (harkonen, mentat, ornithoptor, etc.) followed by a number. This would indicate that the account (possibly GitHub auth/actions token) has been compromised and then used to create the repository. |
|
| ▲ | avaer 2 hours ago | parent | prev | next [-] |
| Why can't GitHub get on the case and just block any repo where the README matches the regex? I thought they'd have learned their lesson the last time it happened. This malware isn't even trying. Then again it's Microsoft so they're not even trying either. |
| |
| ▲ | eddythompson80 an hour ago | parent [-] | | 6 minutes later an HN submission "GitHub blocks your account if you mention X in the README" with a top comment "This is absurd, are they just doing regex matching to check for malware?" |
|
|
| ▲ | spate141 6 hours ago | parent | prev [-] |
| what's this all about? |
| |
| ▲ | foo12bar 6 hours ago | parent | next [-] | | FTFA > The attack steals credentials, authentication tokens, environment variables, and cloud secrets, while also attempting to poison GitHub repositories. | | |
| ▲ | CodeAndCuffs 6 hours ago | parent [-] | | That doesn't really explain why there is a bunch of GitHub repos created as well. If I remember correctly from Shai-Hulud 2, the attacker extricated creds by posting them in public github repos with minor easily reversible encryption. I believe it was double b64 last time. I'm assuming the logic there is that every security researcher and company is going to pull and scan those creds for their stuff and their clients' stuff. So the attacker is just 1 of N people downloading it. As opposed to trying to send it to their own machine directly. | | |
| ▲ | arsome 5 hours ago | parent [-] | | I think it's more about convenience and bypassing filters - developers are already logged in to github, already have access to create repos and publish code, firewalls will allow it. Even fancy HIDS systems will think the git push is rather normal. If they have a clue, the attacker still will not download that without using a botnet tunnel or Tor at a minimum. Note though that these credentials aren't even encrypted using some lightweight ECC to prevent others from capturing them, they're posted in cleartext. Embarassment might be part of the point. |
|
| |
| ▲ | progbits 6 hours ago | parent | prev [-] | | Malware uploading the credentials it managed to steal |
|
