Computing

Our Repo Got More Than 100 GitHub Stars From Compromised Accounts | HackerNoon

News Room
News Room
Our Repo Got More Than 100 GitHub Stars From Compromised Accounts | HackerNoon

TL;DR

There is widespread npm supply chain attack taking place now, and your GitHub account might have been compromised. Check if your account has created new repos or has made commits you didn’t. More info about the attack can be found here.

Unexpected GitHub Stars

Yesterday night I noticed that our repo got more than 100 stars in one day, and went from 330 to 440. This was very unexpected, because we haven’t done anything to promote it recently. Initially, I thought that maybe someone saw it and shared it, but then I checked on the traffic and it hadn’t increased at all from the previous days.

Users with weird behaviour

I told this to my co-maintainer, and we started looking at the users’ profiles who starred the repo. After a few users we started noticing a pattern, either they had pinned repos with weird names or they had had made commits to repos where they changed the README.md file.

Weird commits

The explanation

Gitlab has published a report about the attack. They have explained it very well, but in a nutshell this is what is happening:

  • An infected npm package is installed.

  • During the installation, a modified package.json, which ends up installing a 10MB obfuscated file.

  • Then the malware is searching for GitHub and other credentials in the compromised system.

  • The malware is creating new repos using the stolen GitHub credentials, the repo has the description “Sha1-Hulud: The Second Coming.”, which are served as storage for stolen credentials.

  • Finally, the malware is looking for other repos with the same description in order to get other stolen credentials.

    Also, the malware is propagating itself by getting the npm packages that are maintained by the victim and adds the malicious file to the package and then publishes with a new version.

    It isn’t so easy to stop it

    The report is saying that if an affected system loses access to both GitHub and npm then it starts a destruction on the compromised system. This means that GitHub can’t mass delete the malware’s repos.

    Summary

    In your system you can check for indications of compromise, which are listed here.

    Unfortunately, our repo didn’t become viral but our accounts are safe. Have a look at your accounts and repos and see if are affected.

    I am hoping the next 100 stars to our remote pair programming app will be organic and not fake.

    I have reached out to as many people as I could to inform them that their account might have been affected.

    As always this post was 100% manually typed.

Share This Article
Previous Article 43 of the Best Movies on Netflix You Should Stream Right Now 43 of the Best Movies on Netflix You Should Stream Right Now
Next Article JustiGuide wants to use AI to help people navigate the US immigration system  | News JustiGuide wants to use AI to help people navigate the US immigration system  | News
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected

Latest News

Apple Granted Reset on New Campus Deal
Apple Granted Reset on New Campus Deal
News
The HackerNoon Newsletter: Everyones Using the Wrong Algebra in AI (11/27/2025) | HackerNoon
The HackerNoon Newsletter: Everyones Using the Wrong Algebra in AI (11/27/2025) | HackerNoon
Computing
10 Best Thanksgiving Movies to Watch After Your Feast
10 Best Thanksgiving Movies to Watch After Your Feast
News
Nvidia gives a break to investors and Big Tech firms…, for now
Nvidia gives a break to investors and Big Tech firms…, for now
Mobile
Lost your password?