Major developer platform GitHub has suffered a widespread malware attack.
GitHub has reported 35,000 “code hits.”
GitHub developer Stephen Lucy first reported the incident earlier on Wednesday. The developer came across the issue while reviewing a project he found on a Google search.
So far, various projects from crypto, Golang, Python, js, Bash, Docker and Kubernetes have been affected by the attack.
The malware attack is targeted at the docker images, install docs and npm script.
The attacker created a fake repository (a repository contains all of the project’s files and each file’s revision history) and pushed clones of legit projects to GitHub.
Once the developer falls prey to a malware attack, the entire environment variable (ENV) of the script, application, or laptop (electron apps), is sent to the attacker’s server.
The ENV includes security keys, AWS access keys, crypto keys and much more.