A cybersecurity expert has published an advisory regarding a newly emerged supply chain attack method in which threat actors use fake Commits metadata to authenticate compromised GitHub archives.
The researchers explained that “Commits” are a critical part of the GitHub system and contain a unique ID or hash. Additionally, the purpose of these parts in the GitHub system is to record every alteration made to the documents, the editor’s name, and the alteration’s timeline.
The advisory also revealed that a malicious threat actor could tinker with the commit metadata to give the repositories an impression of being new, trending, and updated. Moreover, it is also possible to impersonate the committer and connect the commit to an authentic GitHub account.
Unfortunately, faulty commits can be automatically developed and attached to the user’s GitHub activity graph. It can also behave and pretend as if it has been active on the code hosting platform for an extended period.
Therefore, the developers can be fooled by the threat actors since they will believe that the repository came from a reliable source. The threat actors can also manipulate the timestamps affiliated with commits.
GitHub Commits attackers have a unique way of initiating their attack strategies.
Based on reports, the threat actors seed to receive the email address of the owner of the committer account from deploying an attack against legitimate GitHub accounts.
Moreover, the adversaries utilise specific commands to replace a fake username and email with legitimate ones. Threat actors adopt this strategy repeatedly to fill the repository’s contributors’ section with confirmed and authenticated contributors and provide the project with a trustworthy appearance.
This detail shows that the GitHub repository’s reputation is more prevalent today than in its previous versions. Unfortunately, the impersonated users will never be aware that their identity has been stolen and used by hackers.
Phoney metadata can now deceive developers into utilising code they would commonly avoid, which results in threat actors acquiring legitimacy. Cybersecurity experts suggest that developers sign their commits to provide legitimacy and security. However, the most reliable method to avoid these attacks and mitigate the effects of supply chain attacks is to be wary regarding contributors’ activity.