Clever ‘GitHub Scanner’ pushes malware via repos

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs .

This week: Clever ‘GitHub Scanner’ campaign abusing repos to push Lumma Stealer malware. Also: Why the Go programming language is growing in popularity.?

This Week’s Top Story

Clever ‘GitHub Scanner’ pushes malware via repos

A new malicious campaign is abusing GitHub Scanner (used to identify and fix security issues in code and repositories) to distribute Lumma Stealer. The malware steals passwords, authentication cookies, browsing history, and crypto wallets from victims. Development teams that use the open source project repositories — especially ones that receive notifications about repos in use — are the target.?

For each of the targeted open source projects, the cybercriminal opens a new “issue” that falsely claims that the project has a security vulnerability, and then pushes victims to a counterfeit domain called “GitHub Scanner” that is not associated with GitHub. Once a victim enters the counterfeit domain, they are tricked into downloading the Lumma Stealer malware for Windows.?

The domain, github-scanner[.]com, invites users to complete a false CAPTCHA test, which can be easily mistaken for the valid, Google-owned reCAPTCHA tests found across the internet. As soon as the victim presses the button labeled “I’m not a robot,” JavaScript code runs in the background, copying the malicious code to the victim’s clipboard. It then prompts the victim to execute the Windows Run command with a set of instructions, which then delivers the Lumma Stealer malware.?

While the campaign is stealthy in its abuse of a legitimate GitHub service, the threat is enhanced by the abuse of legitimate emails from GitHub. This social engineering creates an additional level of credibility for the threat actor, allowing them to phish victims more effectively and distribute the malware.?(BleepingComputer )

This Week’s Headlines

Go makes a comeback: What’s fueling its revival?

Back when the Go programming language was released in 2009, it was awarded “Programming Language of the Year” by the TIOBE Index, and the language's popularity hasn’t diminished since. Now, government institutions and major corporations are stressing the importance of using memory-safe programming languages like Go for security purposes. Memory safe languages, which also include Rust, Java, Python, etc., help prevent memory-related bugs and vulnerabilities because they are able to automatically manage memory. In addition to better security features, Go shows high efficiency and performance with large data sets, making it a favored language for developing AI. (Venture Beat )

SolarWinds issues patch for critical ARM vulnerability

SolarWinds has released fixes to address two security flaws in its Access Rights Manager (ARM) software, including a critical vulnerability that could result in remote code execution. The vulnerability, tracked as CVE-2024-28991, is rated 9.0 out of a maximum of 10.0 on the CVSS scoring system, and has been described as an instance of deserialization of untrusted data. Piotr Bazydlo, a security researcher from the Trend Micro Zero Day Initiative, discovered and reported the flaw back in May 2024. (The Hacker News )

How the new EU regulatory landscape will affect security

Nuno Teodoro, Vice President of Group Cybersecurity at Solaris Group, argues that recent regulations and policy coming out of the European Union (EU) will make a positive impact on software supply chain security. Teodoro stresses that the Digital Operational Resilience Act (DORA), the Network and Information Security Directive 2 (NIS2) and the Cyber Resilience Act (CRA) all impose “stringent requirements” on secure software development practices. Teodoro believes that these three regulations, when followed together by software manufacturers, will “elevate the baseline security standards for software development.” (Infosecurity Magazine )

Seven ways to secure open-source software

David Balaban explains that while open-source software represents the “backbone of modern digital infrastructure,” it also poses major software supply chain risks. These threats stem from unpatched vulnerabilities, malware injection by a third party, typosquatted packages – and many more techniques. Balaban explains seven ways that organizations relying on open-source software for their development projects can better secure their efforts. (SC Media )?

Do boards understand their new role in cybersecurity??

Julie Ragland, a previous Chief Information Officer (CIO), IT leader and current board member for multiple organizations, explains how imperative it is that boards prioritize cybersecurity and the work of Chief Information Security Officers (CISOs). Ragland noted: “Boards typically don’t have technical expertise, so they’re sometimes intimidated by the topic and just want the company’s CIO and CISO to take care of it,” which is why “it’s incumbent on the CIO to provide the right board-level cyber education.” To do this, Ragland argues that “CIOs (and CISOs) should step away from technical presentations and move to a risk management format.” (CIO )

Looking for more insights on software supply chain security? Head to the RL Blog .?

The Best of RL

Interview | SolarWinds: Building a Path to Excellence in Software Supply Chain Security with RL Spectra Assure

SolarWinds CISO Tim Brown is building a path to excellence to secure their software supply chains. One of the tools in SolarWinds cybersecurity arsenal is Spectra Assure, providing the critical build exam SolarWinds uses before it releases its software. [Watch It Here ]?

Webinar | Software Supply Chain Security 101

September 25 at 12 pm ET

RL technical experts Jasmine Noel and Joshua Knox will offer a crash course on the technical aspects of software supply chain compromises and demonstrate how to assess the risks posed by commercial software. Their technical insights and actionable recommendations will enable you to position your organization to handle this growing threat. [Register Here ]?

Interactive Demo | Spectra Assure

September 27 at 12 pm ET

Join to see how Spectra Assure, RL’s premier software supply chain security solution, has capabilities that are simplifying the detection of threats and exposures, enabling software producers and enterprise buyers to minimize the impact of supply chain attacks on their organizations. [Register Here ]?

Looking for more great conversations to watch? See RL’s on-demand webinar library .?