SC-DEPENDABOT-IMPERSONATION-2023

Résumé

Between July 8 and July 11, 2023, in a campaign documented by Checkmarx, attackers pushed malicious commits to hundreds of public and private GitHub repositories while disguising them as automated contributions from the legitimate Dependabot bot. The attackers obtained victims' GitHub Personal Access Tokens, likely exfiltrated from developer machines via a malicious open-source package, and used those tokens to push commits whose author and commit message ('fix') were falsified to appear as the dependabot[bot] account, since Git and the GitHub API let a token holder set arbitrary commit metadata and PAT activity does not surface in the account audit log. Each malicious commit added a GitHub Actions workflow file (hook.yml) that triggered on every push and exfiltrated the project's defined secrets and environment variables to an attacker-controlled command-and-control server. The same commits modified existing JavaScript files in the repository, injecting obfuscated web-form password-stealer code that captured credentials submitted by end users and forwarded them to the same server. Most affected accounts belonged to Indonesian developers.

Comment l’éviter dans votre code

• Replace long-lived PATs with short-lived, fine-grained, least-privilege tokens.
• Require signed commits and verify the 'Verified' badge rather than trusting author names.
• Monitor for unexpected workflow files and commits attributed to bots.
• Rotate any exposed PATs immediately and audit repository secrets.
• Scan dependencies and developer machines for credential-stealing packages.

Références

• https://checkmarx.com/blog/surprise-when-dependabot-contributes-malicious-code/
• https://www.bleepingcomputer.com/news/security/github-repos-bombarded-by-info-stealing-commits-masked-as-dependabot/
• https://thehackernews.com/2023/09/github-repositories-hit-by-password.html