The git community is working to triage an apparent ransomware attack that hit user accounts on GitHub, GitLab, and Atlassian Bitbucket.
The attack was initially discovered on May 2. Reports suggested that the attack targeted accounts with weak passwords.
According to a blog post released today by the three organizations, the attacker used automated means to take over repositories linked to those accounts. The attacker appeared to have removed the contents of the repositories and left a message that the content would be returned if the account holder paid a 0.1 Bitcoin ransom.
The organizations noted that compromised accounts were accessed by the attacker gleaning legitimate credentials that were either weak or through a third-party platform. One of those third-party systems was found to also be host to the attack, which the git repositories were able to lock down, though ongoing scans found account compromises were continuing up to May 10.
Kathy Wang, director of security at GitLab, noted in a statement that impacted content should be retrievable.
“We believe that no data has been lost, unless the owner/maintainer of the repository did not have a local copy and the GitLab copy was the only one,” Wang noted. “In some cases, repository files were changed. After updating account credentials, we recommend making use of ‘git’ commands to restore your repository to its previous state.”
The git operators provided instructions on how to track down the hidden content.
Git repositories are online platforms where users can create software projects, offering management of code and a collaboration channel. They are often used by open source developers as a way to broaden collaboration on specific projects.
The companies have also been active in bolstering their positions in the development process by integrating deeper continuous integration/continuous development (CI/CD) features.