GitHub being used in phishing/social engineering attacks

[he1to]

Hello recently I've talked with someone who told me there is a way to hack web-application tokens through GitHub code execution. Past few days I was trying to research on this topic since the guy who told me this didn't go in any details. He just said it is a GitHub logger. This kind of thing is being used in phishing attacks to obtain web-application tokens. It all starts with social engineering, then luring the victim to GitHub where he is social engineered to execute a code which is malicious and captures his tokens/passwords. By doing a research I found a very interesting article which describes similar type of attacks from widely known Lazarus.

GitHub Warns of Lazarus Group's Social Engineering Campaign Targeting Developers

GitHub recently issued a security alert warning of a social engineering campaign targeting developer accounts in the cryptocurrency, blockchain, cybersecurity, and online gambling domains.

www.bitdefender.com

I would like to know more on this topic, if you find this interesting let me know since there is a way to monetize this heavily.

Some questions I have on this topic:
1. Where they obtain aged GitHub accounts with badges and previous repos.
2. What is the tactic to make the victim execute the code(by impersonating a recruiter or fellow dev)
3. Any real-time GitHub repo examples of this
4. How much would it cost to setup a campaign like this ( including buying the GitHub account, setting up social media, buying up the malicious code and etc.)

 

[Lipshitz]

A tool I saw recently for working with github SE https://xss.pro/threads/120515/
After reading the article you provided I think you are looking for supply chain attacks on opensource software repositories, but that's not github specifically, more the code repositories for each language

 

[gulak]

it's to advance and can't work with normal people , if you don't know what are you doing this type of campaign will make you lose money and time

 

[shrekushka]

The strongest open source backdoor attempt and definitely the strongest this year was not discussed on this forum:

oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

Study this and if you have interesting observations (technical and not accusations of what country, government), open a thread, I will join.
It wasn't in debian but upstream. It was intricate and a multi year effort.
This is a good lesson for noobs and experts alike: write code without such tricks + minimal and easy dependency management. It was linked with libsystemd.
And moreover the xz build system was fucked up to say the least in terms of complexity that no one paid attention.
Thank you Andreas FR. Saved our asses.

This is not just debian, but even rpm based. It has some x86 64 bin injections, so it works with x86 systems.