Threat actors have carried out a campaign where they injected fake Dependabot contributions into hundreds of GitHub repositories to insert malicious code, according to a report by Checkmarx. In this campaign, attackers used stolen GitHub personal access tokens to gain access to repositories and push code, potentially compromising sensitive information and user passwords. To avoid detection, the attackers faked commit messages to make them look like they were generated by Dependabot, GitHub’s automated dependency management tool.
The attackers targeted both public and private repositories and added a new workflow file to send GitHub secrets to an external server. They also modified .js files in the projects to intercept user credentials. The stolen access tokens were likely obtained after victims downloaded a malicious package, and the attacks were likely automated, making it challenging for victims to identify the token compromise. Checkmarx recommends being cautious when obtaining code, even from trusted sources like GitHub, and paying attention to actual changes when using Dependabot.
Read more: https://www.securityweek.com/stolen-github-credentials-used-to-push-fake-dependabot-commits/