Researchers warn that attackers are spoofing and forging metadata of a commit on GitHub, which could poison repositories. ("Coding Javascript" by Christiaan Colen is licensed under CC BY-SA 2.0.)

Researchers reported Friday on software supply chain attack techniques that potentially let threat actors trick developers into using potentially malicious code.

In a blog post, Checkmarx researchers said by leveraging the ability to spoof and forge the metadata of a commit on GitHub, an attacker can deceive users and lure them into using poisoned repositories.

The Checkmarx researchers said while GitHub offers a solution for verifying the identity behind each commit, it requires active involvement from developers. They said developers should sign their commits and enable vigilant mode on users, steps that will help make the code ecosystem safe.

Commits function as one of the building blocks of GitHub. Similar to a file that’s been edited, a commit records one or more changes in a file. Each commit gets assigned a unique ID called an SHA, or hash, that identifies the specific changes, when the changes were made, and who made the changes. The commits also include metadata and the real issue, say the researchers, is that threat actors can forge the metadata.

In this era, quick and agile cloud application development must include open source as part of the software development lifecycle, said Tzachi “Zack” Zornstain, head of supply chain security at Checkmarx.

“This places the responsibility on us as an industry to help our fellow developers in choosing the right open source projects in the most safe, transparent way,” Zornstain said. “It's important to shed light in places where attackers can be lurking and to work together to keep the ecosystem safe."

Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, said trusting who authored code has become one of the more difficult problems in open source development. Mackey said this isn’t simply a problem of spoofing accounts, but really speaks to the true identity of the contributor.

“Even when code commits are signed, and vigilant mode gets enabled, assessing the intent of the commits requires a level of trust that few organizations are likely to invest time in reviewing,” Mackey said. “This then creates a level of trust between the consumer of the software and the committers, and whenever there’s implicit trust, attackers can exploit that trust given the right conditions.”