Checkmarx security researchers have discovered unusual commits in hundreds of public and private repositories that were faked to appear as dependabot commits. This malicious campaign is focused on injecting malware into projects to steal confidential data. The campaign has been ongoing since July 2023.
Dependabot is a tool provided by GitHub that automatically checks and updates project dependencies to ensure they are secure and up to date. When Dependabot detects outdated or vulnerable dependencies, it creates a Pull Request request to update them automatically.
In the context of GitHub, “contributions” are typically related to any changes made to a repository, including new code, bug fixes, and documentation. In this attack, the attackers created commits that mimicked dependabot’s style but actually contained malicious code.
The attack started with the hackers obtaining personal GitHub access tokens from their victims. The exact method of token theft remains unknown to Checkmarx researchers. It is suspected that the cybercriminals utilized automated scripts to create fake commit messages with the heading “FIX” to make them appear as if they were from the “DEPENDABOT [BOT]” account.
The fake dependabot commits introduced harmful code into the targeted projects, performing the following actions:
- Extracting secrets from the GitHub project and sending them to the attacker’s command and control server (C2-server).
Checkmarx analysts investigated some of the victims and found that their accounts had been compromised through stolen personal access tokens (PAT). Most of the compromised users are from Indonesia, suggesting a targeted nature of the attack. However, specific details about the motives behind the attack are not available. To defend against such attacks, it is recommended to switch to GitHub personal access tokens with fine-grained permissions (Fine-Grained PAT), which limit each user to specific permissions