GitHub repos bombarded by info-stealing commits masked as Dependabot

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world, curated by the team at ReversingLabs.

This week: Hackers are bombarding public and private GitHub repositories with fake Dependabot commits to steal authentication secrets from developers. Also: A stream of malicious npm and PyPI packages have been found stealing a wide range of sensitive data, also from developers.?

This Week’s Top Story

GitHub repos bombarded by info-stealing commits masked as Dependabot?

Hackers are using a new method to carry out malicious campaigns on both public and private software repositories, BleepingComputer reports. Researchers at Checkmarx discovered a July 2023 campaign in which threat actors breached GitHub accounts and inserted malicious code into repositories by disguising themselves as the Dependabot tool. Using the same ruse, hackers have been stealing authentication secrets and passwords from targeted developers, Checkmarx said.?

GitHub’s Dependabot are automated security updates that act as pull requests, which help developers update code dependencies that contain known vulnerabilities. Checkmarx researchers said they believe that the hackers used stolen GitHub access tokens to make the fake Dependabot contributions, allowing them to insert the malicious code needed to steal project secrets. Checkmarx is unaware of how exactly the hackers stole the GitHub access tokens, but its researchers believe it may have originated from a malware infection that came from a malicious package.?

With their access to the GitHub accounts, hackers used scripts to push out fake commit messages titled “fix” that deliver malicious code. The code performs both the extraction of secrets from a GitHub project, as well as the modification of JavaScript files to add malware that steals passwords from those impacted. Victims of the malicious campaign found that their Personal Access Tokens (PATs) were stolen, which let hackers bypass multi-factor authentication (MFA), allowing them to steal more information from the targeted developers.?

A solution that has been proposed to ward off this kind of campaign is switching to GitHub’s fine-grained personal access tokens, which have been available for roughly one year and are able to limit users to specific permissions. The limiting of user actions — also referred to as “user least privilege” — is believed to be the best way to limit the damage from account takeovers and attacks like the one exploiting Dependabot’s credibility.?

This Week’s Headlines

SSH keys stolen by stream of malicious PyPI and npm packages

A stream of malicious npm and PyPI packages have been found stealing a wide range of sensitive data from software developers on those platforms. Since the start of the campaign, the attackers have uploaded 45 packages on npm (40) and PyPI (5), with variants in the code indicating a rapid evolution in the attack. (Bleeping Computer)

Research reveals 80% of applications developed in EMEA contain security flaws

Veracode released research indicating applications developed by organizations in Europe, the Middle East and Africa (EMEA) tend to contain more security flaws than those created by their U.S. counterparts. EMEA applications also have the highest percentage of ‘high severity’ flaws, meaning they would cause a critical issue for businesses if exploited. (IT Security Guru)

Critical libwebp Vulnerability Under Active Exploitation - Gets Maximum CVSS Score

Google has assigned a new CVE identifier for a critical security flaw in the libwebp image library for rendering images in the WebP format that has come under active exploitation in the wild. Tracked as CVE-2023-5129, the issue has been given the maximum severity score of 10.0 on the CVSS rating system. (Update: CVE-2023-5129 has been rejected) (The Hacker News)

JetBrains TeamCity critical vulnerability opens door for supply chain attacks

JetBrains has disclosed a critical-rated vulnerability in its TeamCity CI/CD tool, because the exploitation of it could lead to remote code execution (RCE) and attackers getting full administrative control of the server. Tracked as CVE-2023-42793, the authentication bypass flaw affecting the on-prem version of TeamCity could grant broad access to source code, opening victims up to software supply chain attacks. (ITPro)

GitHub Passkeys Are Now Generally Available

GitHub has officially rolled out its passkeys feature, marking a significant step in secure and passwordless authentication. This feature, initially introduced in beta two months ago, utilizes cryptographic key pairs for cloud-synced authentication, allowing users to employ familiar screen-lock PINs or biometrics for secure access to online services. GitHub's initiative aligns with the collaborative efforts of tech giants like Google, Apple, and Microsoft, alongside the FIDO Alliance, to implement passwordless logins across various platforms. (WinBuzzer)

Resource Round Up

ReversingGlass Video: EPSS 3.0 + CVSS: Why Prioritizing Software Risk Is Key

In this 4-min episode, ReversingLabs Field CISO Matt Rose explains what the newest version of the Exploit Prediction Scoring System (EPSS) is, and how it compares to the Common Vulnerability Scoring System (CVSS) when it comes to minimizing alert fatigue — and prioritizing the highest-risk vulnerabilities. [Watch Now]

ConversingLabs Podcast: Apple Devices as a Growing Attack Vector

In this ConversingLabs episode, host Paul Roberts speaks with Devin Byrd, Director of Threat Intelligence at Kandji. Byrd explains how Kandji has grown into a major security provider for macOS users, and how the attack vector for macOS and iOS users has increased in recent years. [Listen Now]

Upcoming Webinar: Threat Modeling and Software Supply Chain Security: Why it matters more than ever.

In this webinar, Chris Romeo, CEO of Devici and joint-founder of the Threat Modeling Manifesto, will join ReversingLabs Field CISO Matt Rose for a lively discussion about how threat modeling can be applied to supply chain security to better plan your organization’s risk management approach. [Register Now]