Compose GitHub Repositories as Malware Vectors
As part of my work each week preparing the
JetC newsletter, I review all of the GitHub repositories that have been
updated in the past week and are tagged with jetpack-compose or compose-multiplatform.
Not only does this give me material for the newsletter, but it gives me unusual insight into
what is being published pertaining to Compose.
In the past month or so, I have noticed repositories that purport to be Compose libraries, but in reality are distributing malware. I have reported a total of five repositories to GitHub and am keeping an eye on others that match the pattern but do not yet have obvious malware.
The pattern is:
-
The repositories share a name and most of the content from existing repositories, but usually replace the home page with a generic one. They are not true GitHub forks, or at least do not show up as such in the GitHub UI, but the repositories share commits with their originating repositories. This helps the attacker appear to be legitimate, as GitHub happily reports the originating author as being a contributor on the attacker’s project.
-
The malware is in the form of a ZIP archive containing a Lua interpreter, an obfuscated Lua script, and a Windows command file to launch the interpreter and run the script.
-
That malware usually is distributed in the Releases area and often is linked to from the modified repository home page.
GitHub has taken down the original two repositories that I reported. The other three I reported yesterday, so hopefully I will get responses from GitHub in a few days.
If you develop using Compose libraries, try to make sure that you are using legitimate projects, not malware-laden clones. If you publish Compose libraries… I do not know if GitHub gives you a way to see what repositories contain your commits, but if it does, you might want to keep an eye on that list and confirm that they are real forks and not vectors for malware.
And, if you are GitHub… it is well past time for you to be implementing malware detection on uploaded ZIP archives. Relying on random balding guys to report malware to you reflects poorly on GitHub and Microsoft.
