Explain release #176
Comments
|
@chadwhitacre Yes, it is. The Gitea had the same release: |
|
While I'm not a maintainer, it seems I've got write access, so I've taken down the release. Here is a screenshot for posterity. Will reach out to @waldyrious now.
|
|
I will be in https://appear.in/release-0-compromised while I attend to this |
|
Ok, I am a member of the org, but not an owner. @waldyrious is on the owner team, as are 3 others. Pinging @opencompany/owners |
|
Ok, I've sent an alert to github for the meantime:
Not sure what else I can do. |
|
Immediately, until Github does something I guess having one of the other owners @galuszkak @tenkabuto @timothyfcook remove @waldyrious permissions for the meantime is the right step forward. |
|
Pinging:
The other orgs are only waldy |
|
Thanks for the ping. I've removed the `install.exe' from my release (but not after downloading it, let's get IDA Pro warmed up and see what it is :P ). |
|
Thank you! I've removed the file from JuliaLangPt org. |
|
Okay. I've submitted a report to GitHub via https://bounty.github.com that has gone on their hackerone: https://hackerone.com/bugs?report_id=363401 That's all I can do. |
|
Thanks for the ping, I've also deleted the release with the EXE file from https://github.com/tldr-pages/tldr/releases. |
|
It's ... a bitcoin miner. |
|
What the hell just happened ? Is @waldyrious' account compromised ? Deleted the exe from node-client release. @Leandros - Aha ! |
|
Alright. I'm signing off as it is evening here. If anyone still needs me, Good work everyone Also thanks @justinclift for the heads up |
|
No worries at all @balupton. 😄 As a data point, @graystevens is the one who noticed the problem in your repo, as mentioned here along with his initial analysis of the exe: go-gitea/gitea#4167 (comment) |
|
@Leandros That comment in the Gitea repo might be of interest to you too, as @graystevens has already done some initial analysis. |
|
Cheers for the nudge @justinclift. Some awesome information in here, seems we have some other repos compromised with the same binary - nice find. @Leandros if you get anywhere with IDA let me know, be interested to know how close I got with my dynamic analysis. |
Just tried accessing that HackerOne URL. It requires sign-up first, which seems a bit weird. Oh well, I guess it's to stop the merely curious from looking. 😄 |
|
Hi everyone. I'm very sorry about the whole situation. I don't know what's happened to my account (either it got compromised or one of the apps I have enabled has malfunctioned). My account is currently flagged, likely as a result of @balupton's report (thanks for doing that). I'm reaching out to Github, and in the meantime I've re-enabled 2FA on my account -- I can't recall why I had disabled it the last time I had set it up. I'll keep you posted regarding any updates. Once more, sorry for this whole mess. |
|
Awesome work @balupton et al.! 👏 Closing since the release is gone from here, hopefully @waldyrious and GitHub get their situation sorted out soon. |
|
@waldyrious account page here on GitHub is 404-ing now: https://github.com/waldyrious But several of the repos - including this OpenCompany one - still have the malware showing. |
|
@chadwhitacre Do you have edit/change access to this repo, as it still has the malware? https://github.com/opencompany/opencompany.github.io/releases <-- still has malware Note that the tag page version doesn't have the malware, while the release page version does: https://github.com/opencompany/www.opencompany.org/releases/tag/0 <-- no malware |
|
Oh @balupton, you have write access so should be able to fix. Sorry for keeping hassling you. 😇 |
|
No write access for that repo unfortunately. So someone else will need to do the removal. Got a response from GitHub about 24 hours ago, that they were looking into the reports. So that would explain the 404’ing |
|
Good catch @justinclift, reopening until https://github.com/opencompany/opencompany.github.io/releases is cleaned up. |
|
@chadwhitacre deleted. Closing. |
|
!m @galuszkak :o) |
|
Yeah, @waldyrious' account was compromised. They've now changed their password, enabled 2-factor authentication, and revoked all sessions, and has commented here, but until GitHub unblock their account said comment won't be visible. Source: tldr-pages Gitter channel @waldyrious wants to thank @balupton for reporting their account to limit the damage, and that they will make sure to ensure everything is back to normal as soon as their account is unflagged. |
|
Hi all. My account has just been unflagged. GitHub support has confirmed that it is now secured with the measures I took. I am now awaiting a response regarding what could have caused this problem. In any case, I apologize to everyone involved for the inconvenience. Many thanks for taking quick action! In light of this incident, I wonder if more people should be granted owner access to the opencompany org (@balupton in particular). Let me know what you think. ps - I edited @sbrl's comment above to fix a typo in my username :) |
|
@waldyrious Good that you're back. 😄 Do you have access to change this release? It's still showing the malware available for download. |
|
Update: I've deleted all the remaining releases mentioned in this comment, as well as:
I believe that completes the full list of releases made with my account, so everything should be sorted out now. Thanks again everyone, for bearing with me. Btw, I also deleted the tags using the CLI, since GitHub doesn't provide a way to do it in the web interface. For future reference, I created a two-liner script called #!/bin/sh
git clone "[email protected]:$1.git" &&
(cd "$(echo "$1" | cut -d'/' -f2)" && git tag -d 0 && git push --delete origin 0)which I then ran multiple times like this: |
Huh... that's odd. The release was created by @danmichaelo. I suppose my account was used to append the executable as an attachment to it? In any case, I edited the release and removed the malware from it. |
|
Thanks @waldyrious. 😄 |
|
Thank you for the heads up :) I had missed that one for sure. |
|
Glad you got your account back! that everything is becoming sorted, and that I could be of use 😊
Whatever you decide I'm happy with 👍 |
|
Cool @balupton, I made you an owner. Cheers! |
|
As the cause of the compromise seems to be a malicious script. To prevent future occurrences, I think OpenCompany and other GitHub organisations should enable: For OpenCompany, we can do it via:
However, to enable Require 2FA for Organisation Members, all members must have 2FA on their GitHub accounts enabled or be removed. So I will suggest those without 2FA auth enabled, do so. One can see which members have 2FA auth disabled via (replace
You can enable 2FA on GitHub via: https://github.com/settings/security The common options for setting up 2FA auth that I've encountered are: |
Hmmm, wouldn't it be more that some malicious script is taking advantage of bad opsec? 2FA is kind of a way to hedge that bet, but does so at the expense of usability. The old security vs usability-for-users tradeoff. 😄 Note - Not saying it's not warranted, I'm just pointing out that org-wide rollouts will change where the needle is on the usability scale so might exclude or reduce the involvement of some members. Since OpenCompany isn't a huge org though, it's probably do-able. 😄 |
|
Interesting warning note at the bottom of the GitHub 2FA info page:
The only way they seem to have around that is by using Facebook. The mind boggles. 😉 |
|
I'm using Trezor for 2FA. You can always restore key from seed if you lost Your hardware key. |
|
Same with Authy. They have a security check or something you can use to regain access to your account. Don't know much more than that, as I've never had to use it :P |
@waldyrious Can I ask what's up with https://github.com/opencompany/www.opencompany.org/releases/tag/0 ? The
*.exesmells like a potential security compromise with your GitHub account. 😞The text was updated successfully, but these errors were encountered: