Nov 18, 2024 12:30:00

Attacks on GitHub attempting to add malicious code by impersonating other users

In open source projects published on GitHub, anyone can submit correction suggestions if there is a mistake in the code. However, there have been many confirmed attempts to abuse this mechanism to add malicious code. Most recently, there have been confirmed cases where, rather than hiding their identity, they impersonated others to make it appear as if they were 'attempting to make malicious commits.'

GitHub projects targeted with malicious commits to frame researcher

https://www.bleepingcomputer.com/news/security/github-projects-targeted-with-malicious-commits-to-frame-researcher/

Alex Cheema, co-founder of

EXO Labs , a startup working on technology to democratize AI, discovered a strange commit in the company's GitHub repository and warned that it was code that could open a backdoor.

Backdoor attempt on @exolabs through an innocent looking PR.

Read every line of code. Stay safu. pic.twitter.com/M0WHoCF5Mu

— Alex Cheema - e/acc (@alexocheema) November 12, 2024

The code was a long list of two- to three-digit numbers along with the explanation, 'MLX, a machine learning framework for Mac, is requesting the execution of a Deepseek model.'

According to security news site BleepingComputer, the numbers were a converted piece of Python code that, when converted back, attempted to read data named 'stage1payload' from a URL.

The GitHub account that added the code was 'evildojo666,' and the domain name of the URL where the file was located was 'evildojo,' a favorite phrase of programmer Mike Bell. Bell's real GitHub account is ' mikedesu .'

Bell posted about the incident, saying, 'Someone is impersonating me,' 'I believe the impersonator is angry that I'm ignoring them,' 'I'm sorry that other people have had to deal with this,' and 'I'll be taking a few hours off from gaming (top priority).'

If you're looking for clarity about the Github backdoor attempts from November 12th:

- Someone is impersonating me
- impersonator mad that i'm not giving them attention
- i am sorry others are being dragged into it
- taking a few hours off to work on my game again (priority)

— darkmage (@evildojo666) November 12, 2024

According to BleepingComputer's investigation, even if they accessed the URL from which the data was downloaded, they could not find the data. Since it is easy to create an account on GitHub that impersonates someone else, it is quite possible that someone impersonated Bell, as Bell explained.

Similar to 'evildojo666,' an account called 'darkimage666' was also reported to have attempted to add malicious code, but this account used Bell's X account image as its icon and profile image. Both accounts have since been deleted.

In addition, several popular projects, including ' yt-dlp ', have been reported to be targeted with similar malicious commits, with at least 18 pull requests identified.

The most recent well-known example of this type of attack is the embedding of a malicious backdoor into 'XZ Utils' in April 2024, and warnings have been issued that similar attacks are being made against other projects.

OpenSSF warns that similar cyber attacks to those on 'XZ Utils' are being targeted at other projects - GIGAZINE