Skip to content

Commit

Permalink
Merge pull request #1247 from zerb4t/eR7bgQz4Ve
Browse files Browse the repository at this point in the history 
compromises: gitgot
  • Loading branch information
@anvega
anvega committed Jun 10, 2024
2 parents 55a5251 + 91ab247 commit 1fd5e48
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 0 deletions.
24 changes: 24 additions & 0 deletions supply-chain-security/compromises/2024/gitgot.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
<!-- cSpell:ignore warbeast -->

# GitGot: using GitHub repositories as exfiltration store

ReversingLabs identified two npm packages, "warbeast2000" and "kodiak2k" which
were designed to steal SSH keys from developers by exploiting GitHub
repositories _as storage_.

## Impact

> Fortunately, the reach of this campaign was limited. ReversingLabs observed
> different accounts publishing warbeast2000 and kodiak2k on npm. The
> warbeast2000 package was downloaded a little less than 400 times, whereas the
> kodiak2k was downloaded around 950 times.
## Type of compromise

- **Trust and Signing**: This means that in addition to leveraging implicit
trust on `github.com` for pulls, attackers were using Personal Access Tokens
(PATs) to leverage that implicit trust for exfiltration.

## References

- [ReversingLabs Blog](https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data)
1 change: 1 addition & 0 deletions supply-chain-security/compromises/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ of compromise needs added, please include that as well.
<!-- cSpell:disable -->
| Name | Year | Type of compromise | Link |
| ----------------- | ------------------ | ------------------ | ----------- |
| [GitGot: using GitHub repositories as exfiltration store](2024/gitgot.md) | 2024 | Trust and Signing | [1](https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data) |
| [ManageEngine xmlsec dependency](2023/xmlsec-manageengine.md) | 2023 | Outdated Dependencies | [1](ttps://flashpoint.io/blog/manageengine-apache-santuario-cve-2022-47966) |
| [Retool Spear Phishing](2023/retool-portal-mfa.md) | 2023 | Dev Tooling | [1](https://www.coindesk.com/business/2023/09/13/phishing-attack-on-cloud-provider-with-fortune-500-clients-led-to-15m-crypto-theft-from-fortress-trust/) |
| [Fake Dependabot commits](2023/fake-dependabot.md) | 2023 | Source Code | [1](https://checkmarx.com/blog/surprise-when-dependabot-contributes-malicious-code/) |
Expand Down

0 comments on commit 1fd5e48

Please sign in to comment.