The Libretro community developing a game console emulator and distribution kit for creating game consoles , about hacking project infrastructure elements and vandalism in repositories. Attackers were able to gain access to the build server (buildbot) and repositories on GitHub.
On GitHub, attackers gained access to everything Libretro organization using the account of one of the trusted project participants. The activity of the attackers was limited to vandalism - they tried to clear the contents of the repositories by placing an empty initial commit. The attack purged all the repositories featured on three of the nine Libretro Github repositories listing pages. Fortunately, the act of vandalism was blocked by the developers before the attackers got to the key repository .
On the assembly server, attackers damaged services that generate nightly and stable builds, as well as those responsible for organizing (netplay lobby). Malicious activity on the server was limited to deleting content. There were no attempts to replace any files or make changes to the RetroArch assemblies and the main packages. Currently, the operation of the Core Installer, Core Updater and Netplay Lobbie, as well as sites and services associated with these components (Update Assets, Update Overlays, Update Shaders) is broken.
The main problem that the project faced after the incident was the lack of an automated backup process. The last backup of the buildbot server was made a few months ago. The problems are explained by the developers by the lack of money for an automated backup system, due to a limited budget for maintaining the infrastructure. The developers do not intend to restore the old server, but to launch a new one, the creation of which was planned. In this case, builds for primary systems such as Linux, Windows, and Android will run immediately, but builds for specialized systems, such as game consoles and older MSVC builds, will take time to recover.
It is assumed that GitHub will help to restore the contents of the cleaned repositories and identify the attacker, to which the corresponding request was sent. So far, it is only known that the hack was carried out from the IP address 54.167.104.253, i.e. it is likely that the attacker used a hacked virtual server in AWS as an intermediate point. Information about the method of penetration is not given.
Source: opennet.ru