A sophisticated supply chain attack campaign targeting multiple GitHub repositories has been uncovered in March 2024, raising significant concerns within the cybersecurity community. The attacks, bearing similarities to the recent xz Utils compromise, involve carefully crafted malicious pull requests designed to inject harmful code into legitimate projects.
Technical Analysis of the Attack Vector
Security researchers have identified a complex attack pattern where threat actors attempt to inject malicious Python code through seemingly innocent numerical sequences in pull requests. The primary attack vector involves the manipulation of model files, particularly targeting models.py, with encoded payloads that, when executed, establish unauthorized remote command and control capabilities.
Scope and Impact Assessment
Malcore’s security team has documented at least 18 distinct malicious pull requests targeting various high-profile repositories, including the popular media downloading tool yt-dlp. Analysis of the attack infrastructure suggests a concentrated effort originating primarily from Indonesian IP addresses, indicating a potentially coordinated campaign.
Notable Targeted Projects
The campaign specifically targeted repositories with significant user bases and active development communities. The EXO repository, maintained by AI startup Exo Labs, was among the first to detect and report suspicious activity, leading to broader investigation and discovery of similar attempts across other projects.
Advanced Social Engineering Tactics
The threat actors demonstrated sophisticated social engineering capabilities by impersonating renowned security researcher Mike Bell. Two primary malicious accounts, identified as evildojo666 and darkimage666, were instrumental in the campaign, combining code injection attempts with reputation attacks against legitimate security professionals.
To protect against such sophisticated supply chain attacks, organizations must implement comprehensive security measures including mandatory code signing, automated malware scanning, and enhanced authentication protocols. Security experts recommend implementing strict contribution guidelines, utilizing automated code analysis tools, and maintaining vigilant code review processes. Additionally, repository maintainers should enable branch protection rules and require multiple approvers for critical code changes. These preventive measures, combined with regular security audits and contributor verification processes, can significantly reduce the risk of successful supply chain compromises through GitHub repositories.
