Explain release

[chadwhitacre]

@waldyrious Can I ask what's up with https://github.com/opencompany/www.opencompany.org/releases/tag/0 ? The *.exe smells like a potential security compromise with your GitHub account. 😞

[axifive]

@chadwhitacre Yes, it is. The Gitea had the same release: https://github.com/go-gitea/gitea/issues/4167

[balupton]

While I'm not a maintainer, it seems I've got write access, so I've taken down the release. Here is a screenshot for posterity. Will reach out to @waldyrious now.

[balupton]

I will be in https://appear.in/release-0-compromised while I attend to this

[balupton]

Ok, I am a member of the org, but not an owner. @waldyrious is on the owner team, as are 3 others. Pinging @opencompany/owners

[balupton]

Ok, I've sent an alert to github for the meantime:

Not sure what else I can do.

[balupton]

Immediately, until Github does something I guess having one of the other owners @galuszkak @tenkabuto @timothyfcook remove @waldyrious permissions for the meantime is the right step forward.

[balupton]

Looking through other orgs and repos he has access to, install.exe also appears other places:

• https://github.com/mwclient/mwclient/releases by @danmichaelo
• https://github.com/opencompany/opencompany.github.io/releases
• https://github.com/tldr-pages/tldr/releases by @rprieto
• https://github.com/tldr-pages/tldr-node-client/releases by @agnivade
• https://github.com/tldr-pages/tldr-cpp-client/releases by @Leandros
• https://github.com/browserpad/browserpad/releases
• https://github.com/JuliaLangPt/tutorial_PT_BR/releases
• https://github.com/JuliaLangPt/julia/releases
• https://github.com/Julia-i18n/Gettext.jl/releases
• https://github.com/Julia-i18n/julialang.github.com/releases
• https://github.com/Julia-i18n/julia-i18n/releases
• https://github.com/wikimedia-portugal/wiki-migration-toolkit/releases
• https://github.com/wikimedia-portugal/dez-anos/releases

[balupton]

Pinging:

• @danmichaelo from mwclient
• @agnivade and @sbrl from tldr-pages
• @El-Zurdo-Sordo @felipenoris @SalchiPapa from JuliaLangPt

The other orgs are only waldy

[Leandros]

Thanks for the ping. I've removed the `install.exe' from my release (but not after downloading it, let's get IDA Pro warmed up and see what it is :P ).

[felipenoris]

Thank you! I've removed the file from JuliaLangPt org.

[balupton]

Okay. I've submitted a report to GitHub via https://bounty.github.com that has gone on their hackerone: https://hackerone.com/bugs?report_id=363401

That's all I can do.

[rprieto]

Thanks for the ping, I've also deleted the release with the EXE file from https://github.com/tldr-pages/tldr/releases.

[Leandros]

It's ... a bitcoin miner. Malware, these days, is becoming boring.

[agnivade]

What the hell just happened ? Is @waldyrious' account compromised ? Deleted the exe from node-client release.

@Leandros - Aha !

[balupton]

Alright. I'm signing off as it is evening here. If anyone still needs me, balupton on wire.com

Good work everyone

Also thanks @justinclift for the heads up

[justinclift]

No worries at all @balupton. :smile:

As a data point, @graystevens is the one who noticed the problem in your repo, as mentioned here along with his initial analysis of the exe: https://github.com/go-gitea/gitea/issues/4167#issuecomment-395718026

[justinclift]

@Leandros That comment in the Gitea repo might be of interest to you too, as @graystevens has already done some initial analysis.

[graystevens]

Cheers for the nudge @justinclift.

Some awesome information in here, seems we have some other repos compromised with the same binary - nice find.

@Leandros if you get anywhere with IDA let me know, be interested to know how close I got with my dynamic analysis.

[justinclift]

Okay. I've submitted a report to GitHub via https://bounty.github.com that has gone on their hackerone: https://hackerone.com/bugs?report_id=363401

Just tried accessing that HackerOne URL. It requires sign-up first, which seems a bit weird.

Oh well, I guess it's to stop the merely curious from looking. :smile:

[waldyrious]

Hi everyone. I'm very sorry about the whole situation. I don't know what's happened to my account (either it got compromised or one of the apps I have enabled has malfunctioned).

My account is currently flagged, likely as a result of @balupton's report (thanks for doing that). I'm reaching out to Github, and in the meantime I've re-enabled 2FA on my account -- I can't recall why I had disabled it the last time I had set it up.

I'll keep you posted regarding any updates. Once more, sorry for this whole mess.

[chadwhitacre]

Awesome work @balupton et al.! 👏

Closing since the release is gone from here, hopefully @waldyrious and GitHub get their situation sorted out soon.

[justinclift]

@waldyrious account page here on GitHub is 404-ing now:

    https://github.com/waldyrious

But several of the repos - including this OpenCompany one - still have the malware showing. :frowning_face:

[justinclift]

@chadwhitacre Do you have edit/change access to this repo, as it still has the malware?

    https://github.com/opencompany/opencompany.github.io/releases <-- still has malware

Note that the tag page version doesn't have the malware, while the release page version does:

    https://github.com/opencompany/www.opencompany.org/releases/tag/0 <-- no malware

[justinclift]

Oh @balupton, you have write access so should be able to fix. Sorry for keeping hassling you. :innocent:

[balupton]

No write access for that repo unfortunately. So someone else will need to do the removal.

Got a response from GitHub about 24 hours ago, that they were looking into the reports. So that would explain the 404’ing

[chadwhitacre]

Good catch @justinclift, reopening until https://github.com/opencompany/opencompany.github.io/releases is cleaned up.

Ping @galuszkak @tenkabuto @timothyfcook!

[galuszkak]

@chadwhitacre deleted.

Closing.

[chadwhitacre]

!m @galuszkak :o)

[sbrl]

Yeah, @waldyrious' account was compromised. They've now changed their password, enabled 2-factor authentication, and revoked all sessions, and has commented here, but until GitHub unblock their account said comment won't be visible.

Source: tldr-pages Gitter channel

@waldyrious wants to thank @balupton for reporting their account to limit the damage, and that they will make sure to ensure everything is back to normal as soon as their account is unflagged.

[waldyrious]

Hi all. My account has just been unflagged. GitHub support has confirmed that it is now secured with the measures I took. I am now awaiting a response regarding what could have caused this problem.

In any case, I apologize to everyone involved for the inconvenience. Many thanks for taking quick action!

In light of this incident, I wonder if more people should be granted owner access to the opencompany org (@balupton in particular). Let me know what you think.

ps - I edited @sbrl's comment above to fix a typo in my username :)

[justinclift]

@waldyrious Good that you're back. :smile:

Do you have access to change this release?

• https://github.com/mwclient/mwclient/releases/tag/v0.9.0

It's still showing the malware available for download. :frowning_face:

[waldyrious]

Update: I've deleted all the remaining releases mentioned in this comment, as well as:

• https://github.com/opencompany/awesome-open-company/releases
• https://github.com/waldyrious/wikispeed/releases
• https://github.com/zeitgeist-portugal/zeitgeist.pt/releases
• https://github.com/TeamOfOne/guitarjs/releases
• https://github.com/TeamOfOne/teamofone.github.io/releases
• https://github.com/improvebraga/ImproveBraga/releases
• https://github.com/improvebraga/venues/releases
• https://github.com/improvebraga/oqfb/releases
• https://github.com/improvebraga/laptop_coffee/releases

I believe that completes the full list of releases made with my account, so everything should be sorted out now. Thanks again everyone, for bearing with me.

---

Btw, I also deleted the tags using the CLI, since GitHub doesn't provide a way to do it in the web interface. For future reference, I created a two-liner script called del-tag-0.sh to streamline the process:

#!/bin/sh

git clone "git@github.com:$1.git" &&
(cd "$(echo "$1" | cut -d'/' -f2)" && git tag -d 0 && git push --delete origin 0)

which I then ran multiple times like this:

. del-tag-0.sh opencompany/awesome-open-company

[waldyrious]

Do you have access to change this release?

• https://github.com/mwclient/mwclient/releases/tag/v0.9.0

It's still showing the malware available for download. :frowning_face:

Huh... that's odd. The release was created by @danmichaelo. I suppose my account was used to append the executable as an attachment to it? In any case, I edited the release and removed the malware from it.

[justinclift]

Thanks @waldyrious. :smile:

[waldyrious]

Thank you for the heads up :) I had missed that one for sure.

[balupton]

Glad you got your account back! that everything is becoming sorted, and that I could be of use 😊

In light of this incident, I wonder if more people should be granted owner access to the opencompany org (@balupton in particular). Let me know what you think.

Whatever you decide I'm happy with 👍

[waldyrious]

Cool @balupton, I made you an owner. Cheers!

[balupton]

As the cause of the compromise seems to be a malicious script. To prevent future occurrences, I think OpenCompany and other GitHub organisations should enable:

• Require 2FA for Organisation Members
• OAuth App Access Restrictions

For OpenCompany, we can do it via:

• https://github.com/organizations/opencompany/settings/security
• https://github.com/organizations/opencompany/settings/oauth_application_policy

However, to enable Require 2FA for Organisation Members, all members must have 2FA on their GitHub accounts enabled or be removed. So I will suggest those without 2FA auth enabled, do so.

One can see which members have 2FA auth disabled via (replace opencompany with your own org):

• https://github.com/orgs/opencompany/people?utf8=✓&query=+two-factor%3Adisabled
• https://github.com/orgs/opencompany/outside-collaborators?utf8=✓&query=+two-factor%3Adisabled

---

You can enable 2FA on GitHub via: https://github.com/settings/security

The common options for setting up 2FA auth that I've encountered are:

• 1Password - 2FA Guide - download - I use this option, it is paid though
• Duo Mobile for iOS - A 2FA alternative recommended by the 1Password team
• Dashlane - 2FA Guide
• Authy - iOS / Android
• Google Authenticator - iOS / Android
• FreeOTP - an open-source option

[justinclift]

As the cause of the compromise seems to be a malicious script.

Hmmm, wouldn't it be more that some malicious script is taking advantage of bad opsec?

2FA is kind of a way to hedge that bet, but does so at the expense of usability. The old security vs usability-for-users tradeoff. :smile:

Note - Not saying it's not warranted, I'm just pointing out that org-wide rollouts will change where the needle is on the usability scale so might exclude or reduce the involvement of some members. Since OpenCompany isn't a huge org though, it's probably do-able. :smile:

[justinclift]

Interesting warning note at the bottom of the GitHub 2FA info page:

Warning: For security reasons, GitHub Support may not be able to restore access to accounts with two-factor authentication enabled if you lose your phone, don't have access to your recovery codes, or don't have an account recovery token stored.

The only way they seem to have around that is by using Facebook. The mind boggles. :wink:

[galuszkak]

I'm using Trezor for 2FA. You can always restore key from seed if you lost Your hardware key.

[sbrl]

Same with Authy. They have a security check or something you can use to regain access to your account. Don't know much more than that, as I've never had to use it :P