GitHub Discovers a Dependabot Commits Hoax
Malicious Code Passed as Legitimate Dependabot Contributions
GitHub Security has recently discovered a phishing campaign targeting GitHub users masked as Github's Dependabot.
The campaign reportedly took place in July, at the same time that researchers had discovered "unusual commits" on "hundreds" of both public and private repositories that appeared to be Dependabot commits, Bleeping Computer explained, citing a recent report by by Checkmarkx.
Hoax Dependabot accounts were created using stolen credentials, SecurityWeek reported. The threat actors involved in Dependabot hacks were reportedly using "stolen personal access tokens" to push out malicious codes, and pass them off as legitimate Dependabot contributions to the platform.
The Dependabot attack comes a year after a phishing scam that impersonated CircleCI sessions in GitHub commanded press attention.
Although GitHub itself was not affected during the CircleCI session attacks, numerous victim organizations have been impacted by this campaign. To raise awareness and protect potential future victims, GitHub is sharing details about this phishing campaign.
Since September 2022, some known phishing domains used in this campaign include circle-ci[.]com, emails-circleci[.]com, circle-cl[.]com, email-circleci[.]com, and links-circleci[.]com. GitHub advises customers to take immediate action to protect themselves as these attacks may still be ongoing.
In response to this phishing campaign, GitHub took various measures to protect users of GitHub.com. They have reset passwords and removed any credentials that the threat actors added to impacted users' accounts. GitHub also notified all known affected users and organizations.
From 2022-2023, analyts identify common patterns users can use to protect themselves from phishing attacks, GitHub customers and organizations are urged to reset their passwords if they believe they have entered credentials on a phishing site. They should also enable two-factor authentication and regularly review their security settings.
Analysts urge GitHub users to remain vigilant and be cautious when receiving messages or prompts that involve login credentials. By staying informed and taking necessary precautions, users can protect themselves and their organizations from falling victim to phishing campaigns.