ATTN Coders: A Hacker is Wiping Git Repositories

1 Like

but… it’s github… the code is already public???

What it is known is that the hacker removes all source code and recent commits from vitcims’ Git repositories, and leaves a ransom note behind that asks for a payment of 0.1 Bitcoin (~$570).

Private Git repositories were most likely compromised as well, which will no doubt trigger lengthy investigations at companies who might have had their proprietary code potentially siphoned off to a remote server.

1 Like

Yes - but I share Bhyden’s puzzlement.

Git is a distributed repository. It doesn’t seem to matter a hoot if you delete what’s at github, because you have a local copy.

Therefore the threat must be that of disclosure. But it’s already public.


If you pay you can create repertories, which are only visible for selected people. GitHub is not only for open source projects.


The more you know.

1 Like

Honestly, if you save important code on another person’s or company’s machine,…

...and, still unsatisfied, have account passwords being stored in plain text on a deployment of a related repository...

just hundreds?So the hacker guess out their passwords?

Somebody said elsewhere that only users who didn’t use 2FA (Two-Factor Authenthication) are affected.

1 Like

Well maybe they’ll know better next time.

This is not a concern for the vast majority of people using these git hosting services. It really only seems to be a serious problem for a very narrow segment of user that:

  1. Have a paid account that lets them make private repositories.
  2. Have private repositories containing code that they must keep private.
  3. Have their password compromised somehow.
  4. Are not using two-factor authentication.
  5. Been unlucky enough to be in the very small number of users that were attacked by this hacker.

It’s quite sensationalist for the article to lead (and even put in their title) with “wiping” as the major concern. For almost everyone, wiping is just a nuisance, since they will have redundant copies of the entire code repo in various places (on their own machines, on the machines of anyone that has cloned, in other forked repos, etc.). Even the hacker is threatening to publish the code after 10 days, so it’s clear that data destruction is not the real threat.

The most annoying part of the wiping, however, is that the attacker seems to have done so by deleting the repo and then recreating a new one with the same name. I guess this would have irrecoverably deleted various things external to the git repo, such as issues (bug reports) tracked by the websites. I doubt that the attacker would have had the foresight to back those up.

It’s a bit bizarre that the hacker seems to have attacked various public repositories (presumably alongside various private ones) with this same threat. I think this points to this being a very amateurish attack.


The main problem concerns everyone

This is a reminder to use different, good passwords for each service one’s using and to enable two-factor authentication if possible.
(And not to publish .got/config files with your login credentials)

Since not all of the accesses resulted in both a repository wipe and a ransom note, this suggests that the attacker’s update script was possibly not working properly. This could be a result of a generic script being used against GitLab as well as GitHub and Bitbucket

As I understood it, the attack altered the git repos in a way which allows to even recover the saved files in some cases, and not touching anything platform specific like issue trackers …

The good news is that after digging through a victim’s case, members of the StackExchange Security forum have found that the hacker does not actually delete, but merele alters Git commit headers, meaning code commits can be recovered, in some cases.

1 Like

Wow, that’s even more amateurish than I guessed. Accidentally hitting public repos with a mistargeted script makes sense.

I was only just looking at some of the affect repos. It appears that none of the ones that I checked had any open issues, so I assumed that the hacker must have wiped those out somehow, but maybe none of the affected repos that I saw ever had open issues to begin with.

I guess it all just boils down to a low-effort hoax in order to scare some people into sending some bitcoin. It does not seem to be working…

The wallet has only received 1 transaction for 3 USD so far.

I’m guessing that $3 was just deposited by the attacker, or maybe an investigator that wants to see where it might move.


This indeed is getting more attention than it should. Somehow it got hyped, with click-bait style headers on a lot of blogs.