The campaign had a tell: ReversingLabs observed a few telling signs about the repositories that can help catch the infection at its source. “For the majority of the malicious repositories, the owner only has that (the malicious one) one repository listed under its GitHub account,” Simmons said. “This indicates that these kinds of user accounts are almost certainly fake and created for the express purpose of hosting a malicious repository.”The repository names were found to be identical to one or more other non-trojanized repositories, indicating some form of typo-squatting at play. Additionally, the “About” section of these repositories was packed with search keywords related to the original repository’s theme and often included an emoji, usually a flame or a rocket ship, hinting at the use of AI.ReversingLabs shared a list of campaign indicators, including domains, URLs, and filenames, along with all 67 flagged repositories for developers to watch out for.”For developers relying on these open-source platforms (GitHub), it’s essential to always double-check that the repository you’re using actually contains what you expect,” Simmons cautioned. “However, the best way to avoid running into this threat is to compare the desired repository to a previous, known good version of the software or source code.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4010125/github-hit-by-a-sophisticated-malware-campaign-as-banana-squad-mimics-popular-repos.html
