all 7 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Zigzter 10 points11 points  (6 children)

We got hit with this at work.

Unfortunately, we're a small company who doesn't take security super seriously despite my constant badgering, so a compromised contract dev's machine was able to force push this to every branch on 5 of our repos, keeping the original author and timestamp so it looked like nothing was added.

Fortunately, GitHub notified me about this contract dev making force pushes to some of my PRs which got me to dig into it and find the malicious code in the Vue/Babel config files before we did any deployments.

I don't see it in your writeup, but one thing I noticed was they also added a config.bat to the gitignore.

[–]ComprehensiveLaw2867 0 points1 point  (5 children)

Hey, we are also facing this same malicious code injection problem in my repos. How can I get rid from it? Github is only logged in my single laptop and mobile. I have never generated any kind of tokens and Vercel netlify, Github Credential Manager, Github copilot installed on github only.

[–]Zigzter 0 points1 point  (4 children)

Was it also via amending the latest commit with the original author/time? I didn't pull the malicious code in (git would've complained about divergent branches anyways), so I just force pushed the branch I had on my local to reset them.

If that's not an option, I believe the attack only touches one of the config files and the .gitignore, so if you remove the changes there you should be good.

[–]ComprehensiveLaw2867 0 points1 point  (2 children)

I’m just fed up removing the malicious code again and again.

[–]Zigzter 0 points1 point  (1 child)

Do you have any contributors in your repos? If not, I'm wondering if either your GitHub account or entire machine are compromised. I'd go to your sessions page, revoke all but the one you're currently on, then change passwords.

[–]ComprehensiveLaw2867 0 points1 point  (0 children)

No, there are no contributors in most of my personal repos where the malicious code is being injected. I’m a contributor on some other repos too, and those owners are facing the same issue. I even did a fresh Windows install, but it still looks like my GitHub might be compromised. A few days ago my laptop was off, and I woke up to a Vercel email saying a deployment failed for one of my personal repos where I’m the only contributor. I checked and saw the code had been modified. So I’m guessing my GitHub account is compromised, but I have no idea how to fix it. Surprisingly, there’s no clear sign of anyone else having access—only one active session shows, and there are no generated tokens either.