Hackers try to inject password stealing code in GitHub by posing as Dependabot automated updates

published: Sept. 29, 2023

Take action: All developers hate Dependabot alerts, since it's usually a lot of work to properly update packages. After this report some developers will argue that they are ignoring Dependabot alerts "because security" 🤷

Learn More

A fraudulent campaign has been identified involving the unauthorized access and misuse of GitHub accounts. In this attack, cybercriminals are deploying malicious code under the guise of Dependabot contributions, ultimately aiming to steal passwords from developers.

Majority of affected users are situated in Indonesia.

Dependabot is an automated dependency updater tool primarily used in software development to help manage and update a project's external libraries, frameworks, or packages that a software project relies on to function correctly. It's quite common that developers set Dependabot to automatically offer updates to the code or even automatically update the code.

The malicious code performs two primary actions:

  1. It exfiltrates defined secrets from the GitHub Actions to a malicious command and control (C2) server.
  2. It alters existing javascript files within the targeted project, embedding a password-stealing malware code. This modification enables the malware to capture any passwords submitted by end-users through web forms.

It's assumed that the attackers have gained initial access to accounts by compromising Personal Access Tokens (PATs), likely stolen from developers stations.

After stealing developer tokens, the attackers used a technique to fake commit messages to trick developers thinking the code was contributed by the real Dependabot and to approve the changes. 

The attackers created a commit message “fix” appear to be contributed by user account “dependabot[bot]” 

The precise method employed for the theft of the PATs that enabled the Dependabot faking remains unclear, although suspicions point to a potential rogue package installed by the developers that stole their tokens.

Hackers try to inject password stealing code in GitHub by posing as Dependabot automated updates