The Forensic Trail On GitHub: Hunting For Supply Chain Activity

Transcript

1. #BHEU @BlackHatEvents The Forensic Trail On GitHub: Hunting For Supply

   Chain Activity Threat Hunting & Incident Response

2. GitHub is fundamental infrastructure and a medium through which attackers

   traverse. But threat intelligence analysis of GitHub data (pivoting) remains overlooked and understudied.

3. Bug bounty is a proxy for “malicious” activity

4. None
5. None
6. None

7. Your Guides on the Trail Rami McCarthy Cloud Risk Research

   Lead, Wiz Amitai Cohen Tactical Threat Intel Lead, Wiz “Gentleman, scholar, and cloud agitator” - Clint Gibler Pivot Cartographer & Crier at Clouds

8. 1. Recent Attacks 2. Platform & Protocol 3. Methodology 4.

   Challenges Agenda

9. GitHub in the Crosshairs > A Recent History of Escalating

   Attacks

10. December 9, 2024 March 17, 2025 March 15, 2025 August

    27, 2025 September 16, 2025 November 24, 2025
11. None

12. Update on Attacks by Threat Group APT-C-60, JP- CERT GitHub

    for payload retrieval

13. DPRK recruiters and candidates might be fake, but their abuse

    of GitHub is real.

14. Contagious Interview Actors Now Utilize JSON Storage Services for Malware

    Delivery, NVISO Labs DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains, Google Threat Intelligence Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks, Socket

15. Malware leveraging public infrastructure like GitHub on the rise, Reversing

    Labs GitHub for Command & Control (C2)
16. None

17. Git & GitHub > Ecosystem 101 for defenders

18. • Repositories • Commits • Branches xkcd.com/1597 Gists Pull Requests

    Git Forks

19. GitHub is tightly entwined with Git Gists Pull Requests Git

    Forks

20. • Forks are independent copies of repositories • All part

    of a “repository network” ◦ Corollary: deleting a fork is just deleting a pointer https://github.com/github/dmca/commit/565e… Gists Pull Requests Git Forks

21. • Pull Requests are a special type of branch •

    Commits in a pull request are available in a repository even before the pull request is merged Gists Pull Requests Git Forks git checkout pr/999

22. • Gists are “a simple way to share code snippets,

    notes, and other small pieces of information” • A special, lightweight type of repository Gists Pull Requests Git Forks

23. Investigation Methodology > Users

24. Pivoting is about using information we already have in order

    to discover new information

25. Signs of Malice Timezone Estimation Events API Scraping Emails Search

    Keys Public Profile Investigating Users Reverse image search Cross-site username reuse Affiliation Network

26. Signs of Malice Timezone Estimation Events API Scraping Emails Keys

    Search Public Profile Investigating Users Search Keys

27. Investigating Users Signs of Malice Timezone Estimation Events API Scraping

    Emails Public Profile Search Keys

28. Signs of Malice Timezone Estimation Events API Scraping Emails Search

    Keys Public Profile Investigating Users

29. Events API Signs of Malice Timezone Estimation Scraping Emails Search

    Keys Public Profile Investigating Users

30. Events API Signs of Malice Timezone Estimation Scraping Emails Search

    Keys Public Profile Investigating Users

31. Signs of Malice Timezone Estimation Events API Scraping Emails Search

    Keys Public Profile Investigating Users Better Analyzing Foreign Adversary Threats to Open-Source Software, Margin Research

32. • Backdated repositories / commits • Cloned commit messages •

    DMCA takedowns in network • Disposable and rotated identities in commit emails • Suspicious contributor networks • Issue spamming & star boosting Signs of Malice Timezone Estimation Events API Scraping Emails Search Keys Public Profile Investigating Users Tools: ghbuster, gh-fake-analyzer

33. Check this out at Pivot Atlas: gopivot.ing

34. Investigation Methodology > Attacks

35. • Payload development evident in git log Investigating Attacks Absence

    as Evidence Exfiltration Exploitation

36. • Researcher payloads Investigating Attacks Absence as Evidence Exfiltration Exploitation

37. • Usage of open source tools Investigating Attacks Absence as

    Evidence Exfiltration Exploitation

38. • Usage of open source tools Investigating Attacks Absence as

    Evidence Exfiltration Exploitation

39. • Public tools disclose impact Investigating Attacks Absence as Evidence

    Exfiltration Exploitation

40. • Disruption Investigating Attacks Absence as Evidence Exfiltration Exploitation

41. • Public exfiltration makes a mess Investigating Attacks Absence as

    Evidence Exfiltration Exploitation

42. • Certain patterns have that bug bounty “smell” Investigating Attacks

    Absence as Evidence Exfiltration Exploitation

43. Recovering deleted PRs

44. Recovering deleted commits via cross-fork references

45. Recovering deleted gists

46. Recovering changes

47. Investigating Attacks Absence as Evidence Exfiltration Payloads Absence as evidence

    • Deleted users • Deleted forks • Missing workflow runs and GitHub Action logs

48. Evidence of absence

49. Technical Difficulties

50. Technical Difficulties 1. Not all events are logged publicly

51. 2. Third parties that index data have gaps Technical Difficulties

52. 3. Not all user profiles are public Technical Difficulties

53. 4. GitHub code search only indexes the default branch Technical

    Difficulties

54. 5. Evidence is often deleted by attackers Technical Difficulties S1ngularity

    - What Happened, How We Responded, What We Learned

55. 6. Evidence is often deleted by defenders Technical Difficulties

56. Takeaways

57. Takeaways • Threat activity involving GitHub is picking up •

    GitHub is a critical source of threat intelligence • And it’s insufficiently leveraged by defenders • But if attackers can do it, so can you!

58. GitHunt Try it out yourself: wiz-sec-public/githunt

59. Thank you!