Github — CraftedSignal Threat Feed

Increased npm Supply Chain Attacks Targeting SAP Developers

hello@craftedsignal.io — Sat, 02 May 2026 00:10:33 +0000

The npm ecosystem is experiencing a surge in sophisticated supply chain attacks following the Shai-Hulud worm in September 2025. Attackers, including TeamPCP, are actively compromising npm packages to gain access to sensitive information and establish persistence within CI/CD pipelines. The attacks have evolved to include wormable propagation, infrastructure-level persistence, and multi-stage payloads designed to evade detection. In April 2026, two campaigns were observed: one included the string “Shai-Hulud: The Third Coming,” and the other, dubbed “Mini Shai-Hulud,” targeted the SAP developer ecosystem. The compromised packages are often part of SAP’s Cloud Application Programming (CAP) Model and multitarget application (MTA) build toolchain, increasing the likelihood of impacting enterprise developers and CI/CD pipelines with access to cloud credentials and GitHub tokens.

Attack Chain

Initial Compromise: Attackers compromise legitimate npm packages, such as @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt, by injecting malicious code.
Malicious Code Injection: Compromised packages receive two new files: setup.mjs and execution.js, along with a modified package.json containing a “preinstall” hook.
Execution of setup.mjs: During the npm install process, the preinstall hook executes setup.mjs, which detects the host OS and architecture.
Bun Runtime Download and Execution: setup.mjs downloads the Bun JavaScript runtime (v1.3.13) from GitHub releases and extracts it to a temporary directory.
Execution of execution.js: The Bun runtime executes execution.js, a large (11.7 MB) obfuscated credential stealer and propagation framework.
Credential Harvesting: execution.js harvests GitHub tokens, npm tokens, environment variables, GitHub Actions secrets, AWS STS identity, Azure Key Vault secrets, GCP Secret Manager values, and Kubernetes service account tokens. It also targets Claude and MCP configuration files and Electrum wallets.
Data Exfiltration: The collected data is compressed, encrypted, and exfiltrated to freshly created public GitHub repositories with randomized names and descriptions.
Propagation: The malware searches for commits containing the keyword “OhNoWhatsGoingOnWithGitHub,” decodes matching commit messages as a token dead-drop, recovers stolen GitHub tokens, and uses them to spread the malware to other packages.

Impact

Compromised npm packages can lead to the theft of sensitive credentials, including cloud provider credentials, GitHub tokens, and CI/CD secrets. Successful attacks can result in unauthorized access to cloud infrastructure, code repositories, and deployment pipelines. The Mini Shai-Hulud campaign targeted packages with approximately 570,000 weekly downloads, potentially impacting a large number of SAP developers and enterprise environments. The attackers use stolen credentials to further propagate the malware, increasing the scale and scope of the compromise.

Recommendation

Rotate npm tokens and GitHub Personal Access Tokens (PATs) immediately if any affected packages were installed (refer to the list of affected packages in the IOC table).
Monitor npm install processes for unexpected execution of node setup.mjs (see Attack Chain).
Implement the Sigma rule “Detect Suspicious Bun Process Execution” to identify potential execution of the Bun runtime from temporary directories.
Monitor network connections for unusual processes connecting to api.github[.]com/search/commits?q=OhNoWhatsGoingOnWithGitHub (see IOCs) to detect potential C2 activity.
Deploy the Sigma rule “Detect Github Commit By Claude Email” to identify commits authored with the email claude@users.noreply.github.com to detect malicious commits.

Komari Agent Abused as SYSTEM-Level Backdoor

hello@craftedsignal.io — Thu, 30 Apr 2026 00:00:00 +0000

Huntress discovered threat actors leveraging the Komari monitoring agent as a SYSTEM-level backdoor within a partner environment. Komari, a Go-based project on GitHub with over 4,000 stars, is designed as a remote-control and monitoring tool. This incident marks a publicly documented case of Komari being abused in a real-world intrusion. The attackers compromised VPN credentials to gain initial access before deploying the Komari agent as a persistent backdoor. Komari inherently functions as a command-and-control (C2) channel, with features enabled by default. The threat actor installed Komari as a Windows service named “Windows Update Service” using NSSM, directly from the official GitHub repository, which avoided the need for attacker-controlled staging infrastructure. The initial discovery occurred on April 16, 2026.

Attack Chain

Initial Access: The attacker establishes an SSLVPN session on a FortiGate device from IP address 45.153.34[.]132, authenticating as a legitimate user, [User 1].
Internal Reconnaissance: After establishing the VPN connection, the attacker’s workstation, identified as VM8514, begins enumerating the internal network from the tunnel IP 10.212.134[.]200.
Lateral Movement: Using Impacket’s smbexec.py, the attacker enables Remote Desktop Protocol (RDP) on the target workstation, [REDACTED-WRKSTN].
RDP Access: The attacker establishes an interactive RDP session to [REDACTED-WRKSTN].
Persistence - Service Creation: The attacker uses the Non-Sucking Service Manager (NSSM) to install the Komari agent as a persistent Windows service named “Windows Update Service”.
Agent Download: The Komari agent is downloaded from raw.githubusercontent[.]com/komari-monitor/komari-agent using a PowerShell one-liner executed directly on the system.
Command and Control: The Komari agent establishes a persistent WebSocket connection to its server, allowing the attacker to execute arbitrary commands (PowerShell/sh) and initiate interactive PTY reverse shell sessions.
Maintain Access & Execute: The attacker maintains SYSTEM-level access via the persistent Komari agent, enabling ongoing remote command execution and control over the compromised workstation.

Impact

This attack demonstrates how readily available monitoring tools can be weaponized for malicious purposes. A single compromised account led to the establishment of a SYSTEM-level backdoor on a critical workstation. This could result in data exfiltration, further lateral movement within the network, and potentially ransomware deployment. Microsoft Defender quarantined an earlier registry hive dumping attempt, preventing further data compromise. The number of affected organizations is currently unknown, but any organization using the Komari agent without proper security controls is potentially at risk.

Recommendation

Monitor FortiGate logs for SSLVPN sessions originating from suspicious IP addresses (45.153.34[.]132) and unusual ASN’s (ASN 51396) to detect potentially compromised credentials.
Implement the Sigma rule “Detect Komari Agent Installation via PowerShell” to identify installations of the Komari agent.
Monitor process creation events for the execution of nssm.exe installing a service named “Windows Update Service” to detect suspicious service installations.
Block the domain raw.githubusercontent[.]com at the DNS resolver or web proxy to prevent the downloading of malicious tools and payloads.

Detection of Github Delete Actions in Audit Logs

hello@craftedsignal.io — Tue, 28 Apr 2026 10:00:00 +0000

This detection strategy focuses on identifying potentially malicious or unauthorized deletion activities within a GitHub organization. The detections hinge on monitoring GitHub audit logs for specific actions related to the deletion of critical resources. This includes actions such as deleting codespaces (codespaces.destroy), deleting environments (environment.delete), deleting projects (project.delete), and destroying repositories (repo.destroy). This activity is important for defenders because these actions can lead to data loss, service disruption, or compromise of the software development lifecycle. The detections are triggered by events recorded within the GitHub audit log, requiring audit log streaming to be enabled.

Attack Chain

Initial Access: An attacker gains unauthorized access to a GitHub account with sufficient privileges. This could be achieved through compromised credentials or insider access.
Privilege Escalation (Optional): The attacker escalates privileges within the GitHub organization to gain the necessary permissions to delete resources if they don’t already have them.
Reconnaissance: The attacker identifies valuable codespaces, environments, projects, or repositories within the GitHub organization that they intend to delete.
Deletion of Codespaces: The attacker executes the codespaces.destroy action, deleting a specific codespace instance, potentially disrupting development workflows.
Deletion of Environments: The attacker executes the environment.delete action, removing a specific environment configuration, potentially affecting deployment processes.
Deletion of Projects: The attacker executes the project.delete action, deleting a project board and its associated tasks, impacting project management.
Deletion of Repositories: The attacker executes the repo.destroy action, permanently deleting a repository, leading to code loss and potential service disruption.
Impact: The deletion of critical resources disrupts development workflows, causes data loss, and potentially compromises the software development lifecycle.

Impact

Successful execution of these actions can lead to significant disruption of software development workflows, data loss, and potential compromise of the software supply chain. The number of affected resources and the severity of the impact depend on the scope of the attacker’s access and the criticality of the deleted resources.

Recommendation

Enable GitHub audit log streaming to capture the necessary events for detection (reference: logsource definition).
Deploy the provided Sigma rule to detect codespaces.destroy, environment.delete, project.delete, and repo.destroy actions in the GitHub audit logs, and tune for your environment (reference: rules).
Investigate any alerts triggered by the Sigma rule to determine the legitimacy of the deletion activity and the actor involved (reference: rules, falsepositives).
Validate the “actor” field in the audit logs to ensure the deletion activity is performed by an authorized user (reference: falsepositives).

AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure

hello@craftedsignal.io — Wed, 22 Apr 2026 17:45:55 +0000

This threat involves the unauthorized use of AWS credentials stolen from GitHub Actions secrets. Attackers exfiltrate these credentials and use them from their own infrastructure, bypassing the intended CI/CD environment. The activity is detected by observing AWS access keys appearing in CloudTrail logs originating from both legitimate GitHub Actions runners (identified by Microsoft ASN or the github-actions user agent string) and suspicious infrastructure outside the expected CI/CD provider ASNs (Amazon, Google, Microsoft). This indicates a breach of GitHub repository or organization secrets, leading to potential unauthorized access and control over AWS resources. This activity can begin with compromised Github accounts.

Attack Chain

An attacker gains unauthorized access to a GitHub repository or organization with AWS credentials stored as secrets.
The attacker exfiltrates the AWS access key ID and secret access key, either manually or through automated means, such as modifying a GitHub Action workflow to expose the secrets.
The attacker configures the stolen AWS credentials on their own infrastructure, using tools like the AWS CLI or boto3.
The attacker attempts to authenticate to AWS using the stolen credentials. This generates CloudTrail logs with the attacker’s source IP address and ASN.
The attacker performs reconnaissance activities, such as calling sts:GetCallerIdentity, ListBuckets, DescribeInstances, or ListUsers, to understand the AWS environment and identify potential targets.
The attacker attempts to escalate privileges or move laterally within the AWS environment by exploiting the compromised credentials.
The attacker may create, modify, or delete AWS resources, such as EC2 instances, S3 buckets, or IAM roles, depending on the permissions associated with the stolen credentials.

Impact

Successful exploitation leads to unauthorized access to AWS resources, potentially resulting in data breaches, service disruptions, or financial losses. The impact depends on the permissions associated with the stolen AWS credentials. A single compromised credential could expose sensitive data, disrupt critical services, or allow attackers to deploy malicious infrastructure within the victim’s AWS environment. Identifying and responding to this threat quickly is vital to minimize damages.

Recommendation

Deploy the Sigma rule “AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure” to your SIEM and tune for your environment to detect suspicious usage patterns.
Rotate the compromised AWS access key in IAM immediately and update the corresponding GitHub repository/organization secret as described in the rule documentation.
Implement OIDC-based authentication (aws-actions/configure-aws-credentials with role-to-assume) instead of long-lived access keys as mentioned in the rule documentation.
If using OIDC, add IP condition policies to the IAM role trust policy to restrict AssumeRoleWithWebIdentity to known GitHub runner IP ranges, based on the information in the rule documentation.

GitHub Exfiltration via High Number of Repository Clones

hello@craftedsignal.io — Fri, 10 Apr 2026 17:40:11 +0000

This alert identifies potential data exfiltration from GitHub via rapid repository cloning. Attackers often target code repositories to steal proprietary code, embedded secrets, and build artifacts. This activity can be indicative of a compromised personal access token (PAT) being used in a script to enumerate and clone repositories from a CI runner or cloud VM. Private and internal repositories are particularly attractive targets, as they often contain sensitive information. The alert focuses on detecting unusual patterns of bulk cloning within a short timeframe, allowing defenders to respond quickly before significant data loss occurs. The original rule was created on 2025/12/16 and updated on 2026/04/10. This activity is often associated with supply chain attacks and the compromise of CI/CD pipelines, similar to the Shai Hulud attacks.

Attack Chain

Attacker gains unauthorized access to a GitHub account or obtains a valid, but misused, Personal Access Token (PAT).
The attacker uses the compromised credentials to authenticate to the GitHub API.
The attacker script enumerates accessible repositories within the organization, identifying potential targets.
A script is executed to initiate a high volume of git clone operations against the targeted repositories.
Repositories, including private and internal ones, are cloned to a staging area, often a CI runner or cloud VM.
The cloned data is compressed and staged for exfiltration, potentially involving archiving or large outbound transfers.
The attacker exfiltrates the cloned data to an external location, potentially via a web service or other covert channel.
The exfiltrated data is used for malicious purposes, such as reverse engineering, finding vulnerabilities, or selling sensitive information.

Impact

Successful exfiltration of GitHub repositories can lead to the exposure of sensitive source code, trade secrets, and proprietary algorithms. This can result in significant financial losses, reputational damage, and competitive disadvantage. In the event of secrets exposure (API keys, passwords, etc.), downstream systems and services may also be compromised. Depending on the nature of the exfiltrated code, legal and regulatory repercussions are also possible. Mass cloning of dozens of repositories can quickly siphon proprietary code, embedded secrets, and build artifacts across teams before defenses can respond.

Recommendation

Deploy the Sigma rule Github Exfiltration via High Number of Clones in Short Time to your SIEM and tune the threshold (event_count >= 25) for your environment to reduce false positives based on legitimate automated activity.
Monitor GitHub audit logs for git.clone events, focusing on users with a high number of clones within a short timeframe to catch suspicious activity.
Revoke any GitHub tokens identified as being used for mass cloning, and force password resets and 2FA re-verification for the associated user accounts.
Investigate the originating host (identified by the agent.id or user_agent fields) for signs of compromise and block/quarantine it to prevent further exfiltration.
Implement organization-wide SAML SSO, disallow classic PATs, and enforce IP allowlisting for PAT use to enhance security posture.
Enable secret scanning with push protection on all repositories to prevent accidental or intentional exposure of credentials.

SaaS Notification Pipeline Abuse for Phishing and Spam Campaigns

hello@craftedsignal.io — Tue, 07 Apr 2026 10:00:35 +0000

Cisco Talos has observed a surge in malicious activity that abuses notification pipelines within popular collaboration platforms, such as GitHub and Jira, to distribute spam and phishing emails. This technique, known as Platform-as-a-Proxy (PaaP), enables threat actors to bypass conventional email security filters by leveraging the trusted infrastructure of legitimate SaaS providers. Attackers embed malicious content within system-generated notifications, exploiting the implicit trust organizations place in these platforms. This allows them to effectively weaponize legitimate infrastructure and deliver phishing content, often leading to credential harvesting and subsequent attacks. During a campaign on February 17, 2026, approximately 2.89% of emails originating from GitHub were associated with this abuse.

Attack Chain

Repository Creation (GitHub): Attackers create new repositories on GitHub to host their malicious content.
Commit Message Crafting (GitHub): Attackers craft malicious commit messages containing phishing lures within the mandatory summary field and detailed scam content in the optional extended description field.
Commit Push (GitHub): Attackers push the crafted commit to the newly created repository, triggering an automated email notification to collaborators and watchers.
Project Creation (Jira): Attackers create a new Jira Service Management project to configure automated customer invites.
Malicious Data Input (Jira): Attackers inject malicious lures into data fields, such as the “Project Name,” “Welcome Message,” or “Project Description” fields, within the Jira project configuration.
Customer Invite (Jira): The attacker utilizes the “Invite Customers” feature and inputs the victim’s email address.
Automated Notification Generation (GitHub/Jira): The platforms (GitHub/Jira) automatically generate email notifications containing the attacker-supplied malicious content, bypassing standard email security checks due to the trusted source.
Credential Harvesting/Social Engineering: Victims receive the notifications and are tricked into clicking malicious links or providing sensitive information, leading to credential compromise and further exploitation.

Impact

Abusing SaaS notification pipelines can lead to widespread credential compromise and business email compromise (BEC). Successful phishing attacks can grant attackers initial access to corporate networks, enabling data theft, ransomware deployment, and other malicious activities. On February 17, 2026, 2.89% of emails originating from GitHub were associated with this abuse. The trust placed in platforms like GitHub and Jira makes these attacks particularly effective, as users are pre-conditioned to view notifications from these sources as legitimate and urgent.

Recommendation

Implement detection rules to identify suspicious keywords and patterns within commit messages originating from GitHub (see: “GitHub Commit Message Phishing Lure” rule).
Monitor for unusual Jira project names or welcome messages that contain suspicious URLs or language (see: “Jira Service Desk Invite Abuse” rule).
Review email logs for messages originating from noreply[@]github.com that contain invoice-related lures in the subject line, especially spikes in volume (see IOC table).
Implement enhanced email filtering rules to analyze the content of emails originating from SaaS platforms for phishing indicators.
Educate users to carefully inspect emails, even from trusted sources like GitHub and Jira, and to verify the legitimacy of links and requests before clicking or providing information.

Rise in Software Supply Chain Attacks Targeting Open-Source Libraries

hello@craftedsignal.io — Fri, 03 Apr 2026 17:31:42 +0000

In early 2026, a surge in supply chain attacks has been observed, impacting widely used open-source libraries and tools. Notably, Axios, a popular HTTP client library for JavaScript with 100 million weekly downloads, was maliciously modified. Additionally, the “chaos-as-a-service” group TeamPCP injected malicious code into hijacked GitHub repositories for open-source projects, including Trivy, a security scanner. The Talos 2025 Year in Review indicated that nearly 25% of the top 100 targeted vulnerabilities affected widely used frameworks and libraries. React2Shell became the top-targeted vulnerability of 2025. These incidents highlight the fragility of the software supply chain and the potential for widespread downstream impact, affecting numerous organizations relying on these compromised components. Defenders face the challenge of identifying and remediating deeply integrated malicious code within their environments.

Attack Chain

Initial Compromise: TeamPCP compromises GitHub repositories of open-source projects like Trivy.
Code Injection: Malicious code is injected into the project’s codebase within the compromised GitHub repository.
Package Build and Distribution: The compromised code is included in a new version of the software package during the build process.
Distribution via Package Managers: The malicious package is distributed through package managers like npm, becoming available for download by developers.
Downstream Consumption: Developers unknowingly download and integrate the compromised package into their applications.
Execution in Downstream Environments: The malicious code executes within the developers’ applications and environments.
Lateral Movement/Data Exfiltration/Ransomware: The injected code performs malicious actions such as data exfiltration or establishing a reverse shell for lateral movement.
Impact: The attacker achieves their objectives, such as data theft, system compromise, or ransomware deployment across numerous downstream victims.

Impact

The compromise of widely used libraries and frameworks like Axios and Trivy can have a vast impact, potentially affecting millions of users and organizations. The Axios library alone receives 100 million downloads weekly. The successful exploitation of the React2Shell vulnerability demonstrates the speed at which these attacks can reach massive scale. The resulting damage can range from data breaches and system compromise to ransomware deployment, affecting organizations across various sectors. The integration of these utilities often makes full cataloging and remediation challenging, leading to prolonged exposure and increased risk.

Recommendation

Secure CI/CD pipelines to prevent compromises from occurring, addressing the attack vector used by TeamPCP.
Implement robust logging to monitor for suspicious activity related to compromised packages and aid in incident response.
Organizations must inventory the software libraries and frameworks they employ and rapidly implement patching and other mitigations when security incidents are reported.
Implement robust multi-factor authentication (MFA) to protect developer accounts on platforms like GitHub.

Agent Skill Marketplace Supply Chain Attack via GitHub Account Hijacking

hello@craftedsignal.io — Mon, 23 Mar 2026 12:00:00 +0000

A supply chain attack has been identified targeting agent skill marketplaces that utilize a link-out distribution model, specifically indexing skills via GitHub repository URLs. The vulnerability arises when original repository owners rename their GitHub accounts, making the previous username available for takeover. Attackers can claim the orphaned username, recreate the repository, and intercept all future skill downloads. A study found 121 skills forwarding to 7 vulnerable repositories, with the most-downloaded hijackable skill having over 2,000 downloads. Further analysis of 238,180 unique skills from various marketplaces revealed significant disagreement among scanners, with fail rates ranging from 3.79% to 41.93%. Additionally, live API credentials for services such as NVIDIA, ElevenLabs, Gemini, and MongoDB were found embedded within the analyzed corpus, highlighting a severe lack of security hygiene in the agent skill ecosystem. This attack highlights the risks associated with relying on external repositories and the need for robust validation mechanisms in agent skill marketplaces.

Attack Chain

Original GitHub repository owner renames their account, making the old username available.
Attacker registers the now-available GitHub username.
Attacker recreates the repository at the same URL as the original skill.
Users download the “skill” from the marketplace, which now points to the attacker’s repository.
The attacker’s repository serves malicious code instead of the original skill.
The malicious code executes on the user’s system or agent platform.
Attackers leverage the skill to gain access to the victim’s environment.
Attackers exfiltrate sensitive data or deploy further malicious payloads.

Impact

This supply chain attack can compromise systems and data by delivering malicious code through hijacked agent skills. The discovery of 121 vulnerable skills and 7 vulnerable repositories demonstrates the scale of this threat. The presence of live API credentials for major services like NVIDIA, ElevenLabs, Gemini, and MongoDB within the skill corpus suggests widespread insecure development practices. Successful exploitation can lead to data breaches, system compromise, and unauthorized access to cloud services, potentially impacting numerous users and organizations relying on these agent skills. The disagreement between scanners highlights the difficulty in detecting these malicious skills, further compounding the risk.

Recommendation

Implement monitoring for GitHub repository ownership changes for all deployed skills to detect potential hijacking (refer to Attack Chain).
Pin skills to specific commit hashes rather than mutable branch heads to ensure code integrity (refer to Attack Chain).
Require a minimum of two independent scanners to flag a skill before treating it as confirmed malicious to reduce false positives (refer to Overview).
Deploy the Sigma rule below to identify potential GitHub username registration events (see “Detect GitHub Username Registration” rule).
Prefer direct-hosting marketplaces over link-out distribution models to reduce reliance on external repositories (refer to Overview).

GhostLoader Malware Targeting macOS via GitHub and AI Workflows

hello@craftedsignal.io — Sat, 21 Mar 2026 13:03:03 +0000

GhostLoader is a malware campaign observed using GitHub repositories and AI-assisted development workflows to deliver malicious payloads specifically designed to steal credentials from macOS systems. The threat leverages the trust associated with software repositories and the increasing adoption of AI tools in development to potentially bypass security measures. While the exact start date of the campaign is not specified, the report from Jamf highlights its recent emergence as a notable threat. Defenders should prioritize monitoring for suspicious activity related to GitHub repositories and unusual AI-driven development processes. The targeted scope appears to be macOS users who engage with software development resources and AI-related tools.

Attack Chain

The attacker creates a seemingly legitimate software repository on GitHub.
The repository contains a project with files that may appear benign or related to AI workflows.
A malicious script or binary, named GhostLoader, is included within the repository or downloaded as a dependency.
A user downloads or clones the repository, potentially enticed by AI-assisted development features or other seemingly useful functionality.
The user executes the GhostLoader script or binary on their macOS system.
GhostLoader executes, initiating the credential-stealing process.
Stolen credentials are collected and potentially exfiltrated to a remote server controlled by the attacker.
The attacker uses the stolen credentials to gain unauthorized access to user accounts or sensitive systems.

Impact

The GhostLoader malware directly targets macOS systems and focuses on credential theft. Successful attacks can lead to unauthorized access to sensitive user accounts, intellectual property, and confidential data. The number of victims and specific sectors targeted remain unclear, but the use of GitHub and AI workflows suggests a focus on developers or users involved in AI-related activities. The compromise of credentials can have severe consequences, including financial loss, data breaches, and reputational damage.

Recommendation

Monitor process creation events on macOS for execution of unusual or unsigned binaries in user directories, potentially indicative of GhostLoader execution (see process creation rule).
Implement network monitoring to detect connections to known malicious infrastructure or unusual data exfiltration patterns after the execution of scripts from cloned GitHub repositories.
Educate developers and users about the risks of downloading and executing code from untrusted sources, particularly those related to AI-assisted workflows.
Enable and review macOS system logs for suspicious activity related to credential access and keychain modifications.

Glassworm Malware Hidden in Unicode Characters Affecting GitHub Repositories

hello@craftedsignal.io — Sun, 15 Mar 2026 15:30:24 +0000

The Glassworm malware is a newly discovered threat that leverages the presence of invisible Unicode characters within source code to inject malicious payloads into software projects. Discovered in early 2026, this malware has already compromised over 150 repositories on GitHub. The attack focuses on injecting these invisible characters into popular repositories, particularly those related to JavaScript and Node.js development, potentially impacting a wide range of applications and services. The delivery mechanism involves contributors with malicious intent adding these characters or compromised accounts injecting them. This sophisticated approach allows the malware to remain undetected during code reviews and traditional security scans, making it a significant threat to the software supply chain.

Attack Chain

A malicious actor gains commit access to a target GitHub repository through either direct contribution or compromised credentials.
The actor injects invisible Unicode characters into source code files, such as JavaScript or package.json files.
These Unicode characters are strategically placed within the code to be innocuous visually but alter the program’s execution when interpreted.
The altered code, containing the Unicode characters, is committed to the repository, potentially passing initial code review checks due to the characters’ invisibility.
When a developer clones or downloads the compromised repository, the Unicode characters are included in their local copy of the code.
During the build process (e.g., npm install), the malicious code embedded within the Unicode characters is executed.
This execution leads to the download and execution of a secondary payload from a remote server, potentially installing malware, backdoors, or exfiltrating sensitive data.
The final objective is to compromise the developer’s system or to inject malicious code into applications built using the compromised repository, thus propagating the malware further.

Impact

The successful deployment of Glassworm can lead to widespread supply chain compromise, potentially affecting thousands of developers and end-users. Over 150 GitHub repositories have already been identified as infected, and the actual number could be much higher. Successful exploitation leads to arbitrary code execution on developer machines and within deployed applications. The compromised code can steal credentials, inject backdoors, and exfiltrate sensitive data, leading to significant financial and reputational damage. The lack of visibility makes remediation challenging.

Recommendation

Implement static analysis tools capable of detecting invisible Unicode characters in source code repositories (reference: Overview).
Deploy the Sigma rules provided below to identify suspicious process executions originating from build processes that may indicate Glassworm activity.
Educate developers about the risks associated with invisible Unicode characters and the importance of careful code review (reference: Attack Chain).
Implement multi-factor authentication on all developer accounts to prevent account compromise (reference: Attack Chain).
Monitor network traffic for connections to suspicious or unknown domains originating from build processes (reference: Attack Chain).
Utilize file integrity monitoring (FIM) to track changes to critical files within repositories and development environments (reference: Attack Chain).

GlassWorm V2 Infrastructure Rotation and GitHub Injection Analysis

hello@craftedsignal.io — Sun, 15 Mar 2026 13:51:21 +0000

This threat brief summarizes an analysis of GlassWorm V2, focusing on its infrastructure rotation and GitHub injection techniques. While specific details regarding the threat actor and initial attack vectors are not provided in this analysis, the report highlights the malware’s ability to dynamically change its command and control (C2) infrastructure and potentially leverage GitHub for code injection or storage. Understanding these techniques is crucial for defenders to develop robust detection and mitigation strategies against this evolving threat. The full analysis is available on Codeberg.

Attack Chain

Initial Access: Specific initial access vector is unknown.
GitHub Injection: The malware leverages GitHub to host malicious code or configurations, potentially obfuscating its activities within legitimate traffic.
Infrastructure Rotation: GlassWorm V2 employs techniques to rotate its C2 infrastructure, making it more difficult to track and block.
Communication: The malware establishes communication with its C2 server using the dynamically updated infrastructure.
Command Execution: The C2 server issues commands to the infected host.
Persistence: Unknown persistence mechanism is used.
Data Exfiltration/Lateral Movement/Impact: The ultimate goal is currently unknown.

Impact

The impact of a successful GlassWorm V2 infection could range from data theft and system compromise to disruption of services, depending on the specific objectives of the attacker. The use of infrastructure rotation makes it harder to block attacker infrastructure. The GitHub injection may also lead to supply chain concerns.

Recommendation

Monitor network traffic for connections to unusual or newly registered domains, even if they initially appear benign.
Implement file integrity monitoring on systems to detect unauthorized modifications to critical system files.
Consider using tools that specifically analyze and detect malicious use of GitHub repositories.

GitHub SSH Certificate Configuration Changed

hello@craftedsignal.io — Sat, 02 Nov 2024 14:00:00 +0000

Attackers can abuse SSH certificate authorities in GitHub to gain unauthorized access to repositories. By creating or disabling SSH certificate requirements, attackers can bypass existing security controls and establish persistent access. This activity is logged in the GitHub audit logs, specifically when ssh_certificate_authority.create or ssh_certificate_requirement.disable actions are performed. Successful exploitation allows attackers to commit malicious code, steal sensitive data, or disrupt development workflows, impacting the integrity and confidentiality of the organization’s resources. The GitHub audit log streaming feature must be enabled to detect this activity.

Attack Chain

Initial Compromise: An attacker gains initial access to a GitHub organization, potentially through compromised credentials or social engineering.
Privilege Escalation: The attacker escalates their privileges to an organizational role capable of managing SSH certificate authorities.
SSH Certificate Authority Creation: The attacker creates a new SSH certificate authority within the GitHub organization (ssh_certificate_authority.create).
Disable SSH Certificate Requirement: Alternatively, the attacker disables the requirement for members to use SSH certificates to access organization resources (ssh_certificate_requirement.disable). This action allows attackers to bypass security controls that enforce SSH certificate usage.
Unauthorized Access: The attacker utilizes the newly created SSH certificate authority or the disabled requirement to access repositories without proper authorization.
Lateral Movement: The attacker moves laterally within the GitHub organization, accessing additional repositories and resources.
Data Exfiltration/Malicious Code Injection: The attacker exfiltrates sensitive data or injects malicious code into the organization’s repositories.
Persistence: The attacker maintains persistent access by using the created SSH certificate authority or the disabled requirement for future unauthorized activities.

Impact

Successful modification of SSH certificate configurations in GitHub can lead to unauthorized code commits, data breaches, and supply chain attacks. This could result in financial losses, reputational damage, and legal repercussions for the affected organization. The number of affected repositories and the severity of the impact depend on the scope of the attacker’s access and the sensitivity of the compromised data.

Recommendation

Enable the GitHub audit log streaming feature to capture SSH certificate configuration changes (logsource: github, service: audit, definition).
Deploy the provided Sigma rule to detect ssh_certificate_authority.create or ssh_certificate_requirement.disable events in the GitHub audit logs (rule: Github SSH Certificate Configuration Changed).
Regularly review GitHub audit logs for any unauthorized modifications to SSH certificate configurations.

GitHub Security Feature Disablement

hello@craftedsignal.io — Thu, 31 Oct 2024 18:22:00 +0000

This brief addresses the threat of unauthorized or malicious disabling of security features within GitHub organizations and repositories. Attackers or malicious insiders might disable features like Advanced Security, OAuth application restrictions, or two-factor authentication to weaken the security posture, gain unauthorized access, and establish persistence. The affected features span across advanced security, OAuth application management, and two-factor authentication enforcement. These actions can be performed by users with administrative or owner privileges within the GitHub organization. Defenders need to monitor for these configuration changes to ensure security best practices are maintained and to quickly identify potential malicious activity.

Attack Chain

An attacker gains unauthorized access to a GitHub account with organization owner or administrator privileges through compromised credentials or insider access.
The attacker authenticates to the GitHub organization or repository using the compromised account.
The attacker navigates to the organization settings or repository settings, depending on the scope of the targeted security feature.
The attacker disables advanced security features (e.g., business_advanced_security.disabled_for_new_repos, repo.advanced_security_disabled) through the GitHub web interface or API.
Alternatively, the attacker disables OAuth application restrictions (org.disable_oauth_app_restrictions) to allow potentially malicious applications to access organizational data.
Or, the attacker disables the two-factor authentication requirement (org.disable_two_factor_requirement) for the organization, weakening account security.
The attacker may then proceed to exploit the weakened security posture to access sensitive repositories, modify code, or exfiltrate data.
The attacker establishes persistent access by creating rogue OAuth applications or adding unauthorized users to the organization.

Impact

Disabling security features in GitHub can lead to severe consequences. A successful attack can result in unauthorized access to sensitive code repositories, intellectual property theft, and data breaches. Disabling two-factor authentication makes accounts more vulnerable to credential stuffing and phishing attacks. The scope can range from a single repository to an entire organization, impacting hundreds or thousands of users and projects. The financial and reputational damage to the organization can be significant.

Recommendation

Deploy the Sigma rule Github High Risk Configuration Disabled to detect the disabling of critical security features by monitoring GitHub audit logs.
Enable audit log streaming as documented in the rule definition to ensure that the necessary logs are captured for detection.
Investigate any detected instances of security feature disabling to determine if they are legitimate administrator actions or malicious activity.
Enforce multi-factor authentication (MFA) for all users, especially those with administrative privileges, and monitor for attempts to disable MFA.
Regularly review and validate GitHub organization and repository settings to ensure that security features are enabled and configured correctly.

GitHub Push Protection Bypass Detection

hello@craftedsignal.io — Mon, 29 Apr 2024 12:00:00 +0000

This alert detects when a GitHub user bypasses the push protection mechanism designed to prevent secrets from being committed to a repository. GitHub’s push protection, part of its secret scanning feature, is intended to block commits containing sensitive information like API keys or credentials. A bypass indicates a deliberate attempt to circumvent this security measure. Successful bypass can lead to exposure of secrets, increasing the risk of unauthorized access and data breaches. The activity is logged within GitHub’s audit logs, provided that the audit log streaming feature is enabled.

Attack Chain

Developer attempts to commit code containing a secret to a GitHub repository.
GitHub’s push protection mechanism detects the secret and blocks the push.
The developer intentionally bypasses the push protection, potentially using allowed administrative activities to circumvent the block.
The code, including the secret, is successfully pushed to the repository.
The secret becomes exposed within the repository’s history.
Unauthorized actors may discover the exposed secret by scanning the repository.
Unauthorized actors may use the exposed secret to gain unauthorized access to systems or data.

Impact

A successful bypass of GitHub push protection can lead to secrets being exposed in a repository. This exposure can lead to unauthorized access to sensitive systems or data. The severity of the impact depends on the scope of access granted by the exposed secret, and the visibility of the repository.

Recommendation

Enable audit log streaming in GitHub to ensure relevant events are captured.
Deploy the Sigma rule “Github Push Protection Bypass Detected” to your SIEM and tune for your environment using GitHub audit logs.
Investigate any detected bypass events to determine the context and impact of the bypassed secret.

Detection of New GitHub Actions Secrets Creation

hello@craftedsignal.io — Tue, 30 Jan 2024 12:00:00 +0000

This detection identifies the creation of new secrets within GitHub Actions. Threat actors may create or modify secrets to gain unauthorized access, establish persistence, or escalate privileges within the GitHub environment. The activity is captured via GitHub’s audit logs. The scope of this detection encompasses the creation of secrets at the organization, environment, codespaces, or repository level. Successful detection of this activity allows security teams to investigate potentially malicious modifications to GitHub Actions secrets, which could lead to supply chain compromise or data exfiltration.

Attack Chain

An attacker gains initial access to a GitHub account, potentially through compromised credentials or phishing (T1078.004).
The attacker authenticates to the GitHub organization or repository.
The attacker navigates to the settings for the organization, environment, codespaces, or repository.
The attacker creates a new secret within the GitHub Actions settings, using the GitHub API or web interface.
The secret is stored within GitHub’s infrastructure, accessible to GitHub Actions workflows.
The attacker modifies or creates a GitHub Actions workflow that utilizes the newly created secret.
The workflow executes, using the secret to perform privileged actions such as accessing sensitive data or deploying malicious code.
The attacker achieves persistence or elevates their privileges within the GitHub environment, potentially compromising the entire software supply chain.

Impact

Successful exploitation can lead to unauthorized access to sensitive data, code injection, and supply chain compromise. The impact ranges from low, in cases where the secret is used for benign purposes, to critical if the secret is used to deploy malicious code into production environments. While the number of affected organizations is unknown, the potential for widespread impact across the software supply chain makes this a critical area for monitoring.

Recommendation

Enable GitHub audit log streaming to capture the events necessary for this detection (see logsource definition).
Deploy the Sigma rule Github New Secret Created to your SIEM and tune for your environment.
Investigate any alerts generated by the Sigma rule, focusing on the “actor” involved in creating the secret.

GitHub Repository Archive Status Changed

hello@craftedsignal.io — Thu, 04 Jan 2024 15:00:00 +0000

This threat brief focuses on the detection of unauthorized changes to GitHub repository archive status. Attackers may archive or unarchive repositories as a means of persistence, to impact the availability of resources, or to impair defenses by hiding malicious code. The activity is logged within GitHub’s audit logs and can be monitored to identify potentially malicious actions. Monitoring these events can help organizations identify and respond to unauthorized modifications of their GitHub repositories. This is especially relevant for organizations relying heavily on GitHub for code management and collaboration.

Attack Chain

An attacker gains unauthorized access to a GitHub account with repository administration privileges.
The attacker authenticates to the GitHub platform using the compromised credentials or a stolen session token.
The attacker navigates to the settings page of a target repository.
The attacker modifies the repository’s archive status, either archiving or unarchiving it depending on their objective.
GitHub logs the ‘repo.archived’ or ‘repo.unarchived’ action in the organization’s audit logs.
(If archiving) Legitimate users may lose access to the repository and its code, causing disruption.
(If unarchiving) The attacker might reintroduce vulnerable code or malicious content into an active repository.
The attacker may then attempt to exploit the unarchived repository for further malicious activities.

Impact

The impact of unauthorized repository archiving or unarchiving can range from temporary disruption of services to the reintroduction of vulnerable code. A successful attack could lead to data breaches, code compromise, or supply chain attacks. The number of affected repositories depends on the scope of the attacker’s access and objectives.

Recommendation

Deploy the Sigma rule “GitHub Repository Archive Status Changed” to your SIEM and tune for your environment. This rule detects the repo.archived and repo.unarchived actions in GitHub audit logs (logsource: github, service: audit).
Review GitHub audit logs regularly for unexpected repository archiving or unarchiving events.
Investigate any detected events to determine if the actions were authorized.

GitHub Self-Hosted Runner Configuration Changes Detected

hello@craftedsignal.io — Wed, 03 Jan 2024 14:30:00 +0000

This threat brief focuses on detecting changes to self-hosted runner configurations within GitHub environments. Self-hosted runners are systems deployed and managed by users to execute jobs from GitHub Actions, providing flexibility and control over the execution environment. Monitoring these runners is crucial because unauthorized modifications can lead to various malicious activities, including data collection, persistence, privilege escalation, or even initial access. The rule provided detects such changes based on audit logs, requiring administrators to validate the changes through the GitHub UI for complete context. Detecting these modifications early can help prevent or mitigate potential security breaches.

Attack Chain

An attacker gains unauthorized access to a GitHub organization or repository with permissions to manage self-hosted runners. This could be achieved through compromised credentials (T1078.004) or exploiting a vulnerability.
The attacker modifies the configuration of an existing self-hosted runner group or creates a new runner group (org.runner_group_created).
The attacker adds or removes runners from a runner group (org.runner_group_runners_added, org.runner_group_runner_removed, org.runner_group_updated).
Alternatively, the attacker registers a new self-hosted runner within the environment (repo.register_self_hosted_runner).
The attacker removes an existing self-hosted runner from the environment (repo.remove_self_hosted_runner, org.remove_self_hosted_runner).
The attacker uses the compromised runner or runner group to execute malicious code within the GitHub Actions workflow, potentially collecting sensitive data or escalating privileges.
The attacker leverages the compromised runner to establish persistence within the GitHub environment, ensuring continued access.
The attacker exploits the compromised runner to gain initial access to other systems or networks connected to the GitHub environment.

Impact

Compromised self-hosted runners can lead to a range of impacts, including data exfiltration, code injection, and privilege escalation within the targeted GitHub environment. Successful attacks could result in unauthorized access to sensitive repositories, modification of code, or deployment of malicious software. The impact can vary depending on the scope of the compromised runner and the permissions associated with it. The effects could extend beyond the GitHub environment if the compromised runner has access to other systems or networks.

Recommendation

Enable the audit log streaming feature in GitHub to capture events related to self-hosted runner modifications, as required by the logsource definition.
Deploy the Sigma rule “Github Self Hosted Runner Changes Detected” to your SIEM and tune for your specific environment to detect suspicious configuration changes.
Regularly review the audit logs in the GitHub UI to validate any detected changes to self-hosted runners and runner groups to ensure legitimate modifications.
Implement strict access control policies for managing self-hosted runners, limiting permissions to only authorized personnel.