Blackmailers take over GitHub repositories, grab data and delete content

Attackers have taken over GitHub repositories, copied their contents and then deleted them. The maintainers only found a readme file in the renamed repositories, which prompted them to contact the extortionists via Telegram.

Apparently, the attacks have been going on since February and the most recent incidents date back to the beginning of June. The hackers presumably obtained the access data via phishing.

Repositories renamed and deleted

Security researcher Germán Fernández reported the incident on X at the beginning of June. The attackers renamed the repositories of the affected accounts, accessed the content and then deleted it. They replaced the readme of the repositories with a short message indicating that the data had been compromised and that the attackers had created a backup. This is followed by a link to the Telegram account of the user Gitloker, where more information would be available. Gitloker describes himself as a "Cyber Incident Analyst" on the Telegram profile page.

A search for the link to the Telegram account on GitHub currently shows 44 openly accessible repositories with the ransom note in the readme files. The attackers are obviously aware that simply deleting the data is often not enough to persuade those affected who potentially have a local copy of Git to pay.

In an issue from April, there is a letter from the blackmailers that – reports in an extremely polite tone – in more detail about which data has ended up in the hands of the blackmailers. This was extremely sensitive information that should not be made public. However, they were prepared not to publish the data – in exchange for a payment of 250,000 USDT stablecoins (Tether crypto tokens), which have an equivalent value of 250,000 US dollars.

Phishing for access data

In another tweet, Fernández suspects that the attackers tapped the access data via phishing. Apparently, some GitHub users received emails linking to supposed GitHub sites with "githubcareers" or "githubtalentcommunity" in the address. Those affected were presented with security warnings or job offers for which they were supposed to register on these pages with their GitHub access data. Discussion posts with similar incidents can be found on GitHub.

Accounts on GitHub are repeatedly the target of attacks. Often, the attackers are not simply trying to blackmail the maintainers, but to infiltrate malicious code to attack the software supply chain.

GitHub has long required users to log in using two-factor authentication (2FA) or passkeys for protection.

(rme)