Discover the intricate GitHub attack: Threat actors impersonating Dependabot, stealing secrets & passwords.

Continue reading
In July 2023, Our scanners detected a series of atypical commits across hundreds of GitHub repositories, seemingly originating from Dependabot but concealing malevolent intentions. This Threatfeed delves deep into the technical intricacies of this cyberattack, highlighting the tactics employed by threat actors and the implications for developers and security professionals.
Between July 8-11, threat actors embarked on a sophisticated campaign, compromising both public and private GitHub repositories, focusing predominantly on Indonesian user accounts. Their modus operandi involved crafting counterfeit commit messages meticulously designed to mimic genuine contributions from Dependabot. This ruse aimed to deceive developers into dismissing the malicious activity.
The attackers ingeniously camouflaged their actions by impersonating the user account "dependabot[bot]." This manipulation added a layer of authenticity to their deceitful commits, making them appear benign at first glance.
In our extensive analysis of the affected repositories, we uncovered two distinct patterns of code changes suggestive of automated scripting. The first insidious alteration introduced a new GitHub Action file named "hook.yml." This file triggered every code push event, surreptitiously exfiltrating GitHub secrets and variables to a malicious endpoint: `hxxps://send[.]wagateway.pro/webhook`.
The second malicious modification was equally cunning. The attackers targeted JavaScript files (`.js`) within the projects, appending obfuscated lines of code at the end. This code snippet created a new script tag, executed in web browsers, and fetched an additional script from `hxxps://send[.]wagateway.pro/client.js?cache=ignore`. Its purpose was clear: intercepting user-submitted passwords from web forms and funneling them to the same exfiltration endpoint.
Understanding the attack's progression is crucial to fortifying defenses against such incursions. The assault unfurled in three distinct phases:
Step 1 – Workspace Initialization: Victims inadvertently played a pivotal role by initializing their development environments with personal access tokens (PATs) or alternative identification methods. These tokens, stored locally on their machines, became ripe targets for extraction. Notably, PATs do not mandate two-factor authentication (2FA), rendering them vulnerable to exploitation.
Step 2 – Stealing the Developer's Credentials: How attackers acquired developers' credentials remains speculative, but a prevalent method suggests using malicious packages. These insidious packages covertly exfiltrated PATs to the attackers' command and control (C2) server, providing unhindered access to compromised accounts.
Step 3 – Poisoning the Victim's Code Projects: Armed with stolen PATs, the attackers authenticated themselves on GitHub and executed the malevolent code changes detailed earlier. The scale of this assault suggested automation, highlighting the need for robust threat detection and prevention measures.
This incident serves as a stark reminder of the evolving sophistication of supply chain attacks, particularly when attackers exploit trusted entities like Dependabot. Developers and organizations must exercise vigilance in code acquisition, even from reputable sources like GitHub. It underscores the need for enhanced security measures.
To mitigate the risk of compromised tokens, GitHub introduces a groundbreaking solution: fine-grained personal access tokens (PATs) in public beta. These tokens afford developers granular control over permissions, reducing the potential for damage if a token is breached.
However, it's important to note that access log activity for GitHub's personal access tokens is exclusively visible to enterprise accounts, leaving non-enterprise users in the dark about potential compromises.
GitHub recognizes the paramount importance of safeguarding credentials and introduces fine-grained PATs to bolster security. Here's how they differ from the traditional personal access tokens (classic):
Developers can create fine-grained PATs through the Developer Settings section in their account settings. This feature simplifies building integrations and testing scripts, offering a level of control and security previously unavailable.
Organization owners gain newfound control over fine-grained PATs. They can opt to approve or reject each token targeting their organization or repositories. This feature enhances visibility and accountability, empowering organizations to safeguard their resources effectively.
While fine-grained PATs represent a significant leap in access control, there are scenarios where classic PATs remain necessary, such as access beyond one's organization or integration with enterprise account APIs. GitHub Actions and GitHub Apps are recommended for long-term automation needs, combining highly targeted permissions with administrator controls.
GitHub's commitment to security extends beyond this release. Future enhancements include support for GraphQL with fine-grained PATs, expanded API support for fine-grained permissions, and additional features for administrators to set and enforce PAT policies at scale.
Fine-grained personal access tokens are now available to all GitHub users, organizations, and enterprises on GitHub.com. Users are encouraged to provide feedback as GitHub continually refines this groundbreaking security feature.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.