An anonymous hacker has been infecting Git repositories with ransomware and threatening to wipe them clean if not paid in 10 days.
Hundreds of accounts have been infected and researchers believe the threat actor has scanned the entire internet for Git config files, extracted their credentials, and then used these login to access and infect accounts at the Git hosting services.
GitLab Director of Security Kathy Wang told ZDNet this was the root cause of an account compromise a user reported on StackExchange earlier today.
“As a result of our investigation, we have strong evidence that the compromised accounts have account passwords being stored in plaintext on a deployment of a related repository,” Wang told the publication.
“We strongly encourage the use of password management tools to store passwords in a more secure manner, and enabling two-factor authentication wherever possible, both of which would have prevented this issue.”
Fortunately for users members of the StackExchange Security forum have found that the hacker does not actually delete the file but instead altered the Git commit headers, meaning code commits can be recovered, in some cases.
Researchers have provided instructions for victim’s to regain access to files here.
Craig Young, computer security researcher for Tripwire’s VERT (vulnerability and exposure research team), told SC Media as a general rule of thumb, it is a terrible idea to use online accounts like GitHub to store irreplaceable data.
“The use of a FIDO U2F security key when accessing GitHub is highly recommended,” Young said. “This is especially important for accounts which have can make commits into source code repositories.”
Young added that someone else could also stealthily put ransomware in various software libraries which are in turn used by other projects and that GitHub becomes a very critical point of failure for modern supply chain security.