A warning has been issued by Checkmarx security experts about a new supply chain attack method in which the hackers utilize fake commit metadata to legitimize malicious GitHub archives.

{jistoc} $title={Table of Contents}

What are Commits?

Commits are essential components in the GitHub system and have a unique hash or ID. They record every change made to the documents, the timeline of change, and who made the change. 

Deceiving the developers

As per Checkmarx researchers, threat actors could tamper with the commit metadata to make the repositories look relevant and updated. It is possible to spoof the committer and link the commit to a legitimate GitHub account.

Fake commits can be automatically generated and added to the user’s GitHub activity graph, pretending as if they have been active on the code hosting platform for a very long time.
Here, the developers get deceived as they believe that the repository comes from a trustworthy source.

According to Checkmarx, the threat actors can manipulate the timestamps associated with commits.

Attack tactics

Threat actors seed to receive the email address of the commiter account in order to launch an attack.

They use certain commands to substitute a fake username and email for the real ones.
Hackers employ this tactic repeatedly to fill their repository’s contributors section with verified contributors and give the project a credible appearance.

As a result, the GitHub repository's reputation is improved, but the spoofed user is never made aware that their identity has been used.

Conclusion & Prevention

Fake metadata tricks developers into using code they would normally shun which leads to threat actors gaining legitimacy. In order to provide security, Checkmarx researchers recommended developers sign their commits. Also, staying vigilant about contributor's activity can help contain the supply chain attack.

Found this article interesting? Follow Techtribune24 on Facebook, Twitter and LinkedIn to read more exclusive content we post.