What a garbage clickbait thread. From scary words like "attack", "infected", etc. you would think projects are compromised. But nothing is compromised. From wayyyyy down in the thread:
> The attacker creates FAKE orgs/repos and pushes clones of LEGIT projects to github.
Yeah, anyone can push anything to their own GitHub accounts/orgs, including malware. We know that.
From what I can see, he wrote the tweet after organically finding one of these via Google and then searching and finding that there were many many more.
It's absolutely true that the wording is wrong, but I think it's reasonable to accept a jumped the gun rather than a clickbait explanation.
The presence of large volumes of project copies on typosquats and synonym squats is still a problem, they'll still get indexed by tools, and then the tools boost their page rank, and eventually some make it to users. Given that the Go init payload contains an RCE and not just a data collection, there is still something of note there. Yes it's not 35k compromised projects, but it is a broad deployment of malicious code.
Yes, the scope is not "35k existing GitHub repos are infected", since AFAICT all the infected repos are forks, so the title is misleading.
However:
1. The scale is pretty worrying. Given the total number of repos on GitHub (> 100M) it's a drop in the ocean, but still huge.
2. Typo-squatting on, say, PyPI or npmjs is certainly note-worthy, and this is a very similar attack.
3. At least some of the infected forks had several stars, some from ~ 5 year old accounts, so apparently some people were using them.
4. The original Twitter thread did note that infected forks were being created — it just didn't emphasise that this was the only attack surface, probably because the author didn't realise.
> The attacker creates FAKE orgs/repos and pushes clones of LEGIT projects to github.
Yeah, anyone can push anything to their own GitHub accounts/orgs, including malware. We know that.
Save yourself some time. Flagged.