A popular automated code analysis tool, DeepSource, is designed to identify vulnerabilities, bugs, and performance issues. Also, for more convenience, it has integration with GitHub, and now the DeepSource developers talked about hacking their GitHub application.
DeepSource reported this week that GitHub security had notified them of potentially malicious activity in June.
“On July 11th, around 5AM UTC, DeepSource was notified by the GitHub Security Team that they were tracking potentially malicious activity related to the DeepSource Github application”, — says official DeepSource message.
The fact is that since mid-June, GitHub specialists have observed numerous requests from IP addresses that are unusual for DeepSource users, but they were not sure that a compromise had occurred, despite this abnormal traffic.
To limit potential access to resources for attackers, the DeepSource developers immediately took precautions: they dropped all tokens, secrets and private keys of clients.
Since the cause of the attack was unclear, all employee credentials and keys were also cleared. The company says that finally, an internal investigation did not reveal any irregularities or abnormalities, and that global DeepSource’s infrastructure was not affected.
A more detailed investigation by GitHub revealed that hackers compromised the GitHub account of a DeepSource employee during the Sawfish phishing campaign, detected earlier this year. As a result, attackers gained access to the credentials of the DeepSource GitHub application.
“Unfortunately, GitHub’s privacy policy does not allow sharing a list of affected users with us, so we are publicly reporting the issue and waiting for GitHub to complete its investigation. It is our understanding that GitHub will notify affected users directly, in accordance with the rules”, — write the DeepSource developers.
It is noted that users who would like to receive additional information about downloads and other account activity (to identify suspicious behavior) can request the necessary logs from GitHub on this page.
DeepSource says it is already working with information security consultants and is taking steps to improve security, including through security training and anti-phishing training for its employees. They also promise to launch the Bug Bounty program.
Let me remind you that Octopus Scanner Malware was recently discovered on GitHub.