One of the ways cyber criminals use to steal user credentials, such as a private key of an Ethereum account, is by creating a GitHub repository with an application that requires specific credentials to be used. In this discussion, we will focus on the case of the private key of an Ethereum account.
In this scenario, an attacker creates a seemingly useful application on GitHub, filling in all required sections, such as the About page, relevant tags, and creating a Wiki, to increase the chances of the repo getting indexed in search results and noticed by a potential victim.
If the repo is created from scratch, it may be written in a less popular language like Elixir, Haskell, or even Perl, making it harder to read and understand the code. For popular languages like Python, several hacks can be used to hide malicious parts, such as injecting junk code. This task is made simpler today by ChatGPT; see our article on this topic.
The forked repo may be injected with malicious code at some of its parts. An attacker can propose to compile the code, which can be a challenging task for a user who does not have all the build chain installed on their machine. As an alternative, the attacker can propose to download a compiled version of the application that is injected with the malicious part.
Downloading and executing a compiled application from a loosely trusted repo is a very dangerous act. But using the source code is not any less dangerous if you have not read the code and made sure it does not have any unwanted parts.
Continuing with the previously mentioned example of an application that fishes private keys, an attacker can claim the repo contains Node.js open source of an arbitrage bot (a very frequent choice for arbitrage bots is Node.js). The repo’s README will contain instructions on how to use the bot. One of the instructions is to create a .env file that includes the private key of an account with at least 0.5 Ethereum to enable the bot to execute the arbitrage. If a victim fills in the .env file and runs the bot, something innocent like
npm run prod
the bot will empty the account’s balance to the attacker’s wallet.
What is the main idea of the attacker in such kinds of exploitation? It is the victim’s trust that open source code is generally safe because a bad actor would not want to disclose their malicious code to the public, which would catch the inserted trap and report it. This is a fallacy. In most cases, even programmers don’t check open source and use libraries from GitHub without any inspection. This applies even more so to less professional users.
The main conclusion is to never trust an open source project unless it has been proven safe.