A Hacker 'Ghost' Network Is Quietly Spreading Malware on GitHub (wired.com) 16

Posted by msmash on Wednesday July 24, 2024 @04:01PM from the troubling-signs dept.

Researchers at Check Point have uncovered a clandestine network of approximately 3,000 "ghost" accounts on GitHub, manipulating the platform to promote malicious content. Since June 2023, a cybercriminal dubbed "Stargazer Goblin" has been exploiting GitHub's community features to boost malicious repositories, making them appear legitimate and popular.

Antonis Terefos, a malware reverse engineer at Check Point, discovered the network's activities, which include "starring," "forking," and "watching" malicious pages to increase their visibility and credibility. The network, named "Stargazers Ghost Network," primarily targets Windows users, offering downloads of seemingly legitimate software tools while spreading various types of ransomware and info-stealer malware.

A Hacker 'Ghost' Network Is Quietly Spreading Malware on GitHub

This discussion has been archived. No new comments can be posted.

Load All Comments

Search 16 Comments Log In/Create an Account

Comments Filter:

Question (Score:2)

by smooth wombat ( 796938 ) writes:

If they found these accounts, did they remove them? Did they also examine them so they can try to recognize this type in the future?
Inquiring minds want to know.
- Re: Question (Score:1)
  
  by Samuel Silverstein ( 10475946 ) writes:
  
  I believe only GitHub can remove GitHub accounts.
Github is Git + MS social network shit tacked on (Score:2)

by Rosco P. Coltrane ( 209368 ) writes:

Just use the free Git part of it and ignore the social network garbage. The stars, followers and activity things are just pointless feel-good nonsense and gamification.
- Re: (Score:2)
  
  by Luthair ( 847766 ) writes:
  
  If you ignore the stars its even easier for bad guys to trick you since they don't even need to bother to pretend the repository is popular.
  When I'm looking at an open source project I'm not familiar with I begin with the assumption its malware. For larger projects it often impractical to do a security assessment so you're left with the heuristic of who is working on it and who else is using it.
Perhaps a verified tier? (Score:2)

by ctilsie242 ( 4841247 ) writes:

I wonder if GitHub needs verified tiers. For example, my GHE account is not just a paid account, but secured with a set of YubiKeys, has its own SSH and GPG keys. Of course, all those can be easily spam-created, but maybe we need to have some mechanism similar to Facebook, where it sends your address a snail mail item with a code in it, you type that in, and it confirms that the user has access to that physical address. Similar with a government ID. Maybe even tie into id.me or something similar to give
cheap joke (Score:2)

by JThundley ( 631154 ) writes:

Quietly spreading malware on Github? Must be Microsoft.
The liblzma / XZ / OpenSSH hack is a warning (Score:3)

by Seven Spirals ( 4924941 ) writes: on Wednesday July 24, 2024 @06:46PM (#64653306)

The liblzma hack proves that the Chinese and possibly other foreign actors are definitely trying to backdoor open source. They are probably trying to backdoor commercial software inside of Microsoft or other companies, too. I'd definitely pick SolarWinds as a target or some other widely used software (WhatsUp Gold or 7zip for example). All it would take is one Fang Fang to bang and setup some lonely long-haired coder and we'd see some fairly dramatic results. It's a target rich environment.

If they can hack the government and steal the HR records for all of our government employees (21M employee OPM Hack) I'm pretty sure that backdooring some little underfunded FOSS project would be no problem. They almost pulled it off with the XZ hack and that would have been absolutely devastating. Does anyone actually think that was their first try ?

Maybe related (Score:3)

by pauljlucas ( 529435 ) writes: on Wednesday July 24, 2024 @10:12PM (#64653592) Homepage Journal

An open-source project I have on GitHub occasionally gets forked by various accounts. However, AFAICT, they never do anything with the clones, i.e., they never make any of their own changes. So why do they bother cloning in the first place?

- Re: (Score:3)
  
  by pauljlucas ( 529435 ) writes:
  
  Everywhere I wrote "clone" I meant "fork."
- Re: (Score:2)
  
  by shabble ( 90296 ) writes:
  
  So why do they bother cloning in the first place?
  In case you delete/hide your repo? Or they may want to make changes later, but not upstream them?
  - Re: (Score:2)
    
    by pauljlucas ( 529435 ) writes:
    
    Maybe. But I have occasionally checked back with some of them in several months out of curiosity: still no changes including no keeping up-to-date with my changes since.
- Re: (Score:2)
  
  by bubblyceiling ( 7940768 ) writes:
  
  I do it, so I have a copy of my own, incase the parent goes down
  - Re: (Score:2)
    
    by pauljlucas ( 529435 ) writes:
    
    But unless you routinely update it to mirror changes to the original, it quickly falls out of date (though I guess that's better than nothing).
    - Re: (Score:2)
      
      by bubblyceiling ( 7940768 ) writes:
      
      There are only so many hours in the day

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

A Hacker 'Ghost' Network Is Quietly Spreading Malware on GitHub (wired.com) 16

A Hacker 'Ghost' Network Is Quietly Spreading Malware on GitHub More Login

A Hacker 'Ghost' Network Is Quietly Spreading Malware on GitHub

Question (Score:2)

Re: Question (Score:1)

Github is Git + MS social network shit tacked on (Score:2)

Re: (Score:2)

Perhaps a verified tier? (Score:2)

cheap joke (Score:2)

The liblzma / XZ / OpenSSH hack is a warning (Score:3)

Maybe related (Score:3)

Re: (Score:3)

Re: (Score:2)

Re: (Score:2)

Re: (Score:2)

Re: (Score:2)

Re: (Score:2)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot