GitHub Alert: Malicious Commits Frame Researcher – Here Is a Quick Look.

In a recent cybersecurity incident, several GitHub projects were targeted with malicious commits and pull requests. These actions aimed to inject backdoors into the projects, raising concerns about the true intentions behind the attacks. Let’s have a closer look.

Exo Labs: A Targeted Attack

The GitHub repository of Exo Labs, an AI and machine learning startup, was one of the targets. Alex Cheema, co-founder of Exo Labs, warned about an “innocent looking” code change submitted to the repository. The pull request, titled “clarify mlx requirement for deepseek models,” attempted to modify the models.py Python file by adding a sequence of numbers.

Understanding the Malicious Code

The sequence of numbers represented characters in plaintext Python code, which had been converted to their numbers-equivalent form. This piece of code attempted to connect to a URL and download a “stage1” payload. If the code change had been approved and merged, anyone using the product could have executed the code remotely, resulting in a functional backdoor. However, the link returned a 404 error, indicating that no content existed at the location.

The Impersonation Incident

The commit was submitted by a GitHub user named “evildojo666,” an account that has since been deleted. The archived page for the username and the domain evildojo.com pointed to Mike Bell, a Texas-based security researcher, ethical hacker, and software engineer. Bell denied any involvement, claiming that someone was impersonating him to smear his reputation. He stated that there was never any payload and questioned why people assumed there was.

Ease of Impersonation on GitHub

Creating a GitHub account using another person’s details and profile picture is trivial, allowing anyone to submit code changes and pull requests under someone else’s name. The non-existent “stage1payload” page on evildojo’s domain further indicated that this was likely a smear campaign against Bell. Another now-deleted account, “darkimage666,” also impersonated Bell and engaged in similar malicious efforts.

Wider Impact on Other Projects

Social media users noted that other projects had been targeted by different GitHub user accounts with similar commits. Threat intel analyst vx-underground mentioned that yt-dlp, a popular open-source audio and video download project, was among those targeted. This demonstrates that malicious actors are casting a wide net in their attempts to infiltrate and compromise multiple projects.

Vigilance and Security Measures

The incident highlights the importance of vigilance when reviewing code changes and pull requests on GitHub. Developers and project maintainers must carefully scrutinize every submission to prevent such malicious activities. The true motives behind these attacks remain unclear, but the impact on the targeted projects and individuals is evident.

Conclusion: Safeguarding the Open-Source Community

The targeting of GitHub projects with malicious commits to frame a researcher underscores the need for enhanced security measures and awareness within the open-source community. By staying vigilant and implementing robust review processes, developers can help protect their projects from such malicious activities.

In addition to careful review, utilizing tools such as automated code analysis and two-factor authentication can enhance security. It is essential for the community to share information about such threats and collaborate on creating a safer development environment.

Through collective efforts and continued vigilance, we can safeguard the integrity of open-source projects and maintain trust within the developer community.

---

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it