What makes this particularly sneaky is that the malicious code was never committed to the official repos at all. GitHub allows version tags to point to commits from a fork of the same repository. The attacker exploited this to create tags pointed to commits in a malicious fork they controlled.
So, for any project on GitHub, an attacker only needs to get permission to make tags on the project and they can put anything they want into a release without the project maintainers seeing the code in their repository. It’s a lot harder to sneak in an exploit when some other project maintainer will be reviewing your pull request. Now they can just get some dev’s tag permission through some other credential stealing exploit and they’re all set.
Thanks GitHub.
> What makes this particularly sneaky is that the malicious code was never committed to the official repos at all. GitHub allows version tags to point to commits from a fork of the same repository. The attacker exploited this to create tags pointed to commits in a malicious fork they controlled.
So, for any project on GitHub, an attacker only needs to get permission to make tags on the project and they can put anything they want into a release without the project maintainers seeing the code in their repository. It’s a lot harder to sneak in an exploit when some other project maintainer will be reviewing your pull request. Now they can just get some dev’s tag permission through some other credential stealing exploit and they’re all set.
Thanks GitHub.
Login or register