GitHub has been battling a malware campaign for several months in which attackers copy legitimate code repositories, infect them with malware and redistribute them.

Be careful when downloading code repositories on GitHub: not everything is as it seems on the open source platform. Since May, GitHub has been plagued by malicious Python registries that appear to be legitimate code. According to the security company Apiiro, there are at least 100,000 malicious code registers lying around.

Company researchers explain the methodology behind the malware campaign. Malicious actors play a dangerous copy-paste game with legitimate code registries. For example, copy legitimate Python code and hide malware in it. Thousands of “clones” of the registry are then created under the same description as the original version and distributed via GitHub and other channels. Once installed, the malware obtains sensitive data such as login credentials of other applications from the victim.

Off screen

GitHub has the ability to scan code registries for malware and most clones are quickly removed. If that weren’t the case, the number of malicious files could be in the millions, Apiiro suspects. But the attackers also have their own tricks to hide the malware.

The Exec function that causes the malicious code to execute is hidden by inserting hundreds of blank lines into the code registers. This means that the malware literally “disappears from the screen” during a manual scan. This clogging trick ensures that hundreds of thousands of malicious registries persist, Trend Micro explains in a blog.

Since GitHub has over 400 million registrations, the chances of you ending up with a malicious registry clone are relatively low. However, the researchers fear that GitHub users could also spread the clones without even realizing it. GitHub acknowledges that this is a serious issue and that it is looking for a solution to permanently eliminate it, although it does not appear to have found that solution yet.