Hey infosec peeps, anyone got an inside scoop on what’s going on with these bogus co-authored commit tags on GitHub? The attackerDOS/B
repo has been taken down, so I can’t look at the commits that I supposedly co-authored. I have FIDO2 MFA on my account, so I’m reasonably certain that no one could have actually committed code to this repo under my account, but I’m also not super familiar with how co-authoring works.
#InfoSec #CyberSecurity #GitHub #attackerDOS
Is it possible that a repo you committed to got taken over and renamed? Furthermore, MicrosoftHub likely only checks basic info when tying users to commits so you could prob add any repo to GitHub and have it show that users committed that never actually did.
@[email protected]
I’m pretty sure this is some kind of spam, because I can’t think of any legitimate reason for thousands of co-authors to be listed on a single commit. But just for kicks, any ideas how I might go about checking if the repo was renamed?Since it got taken down you’ll likely need to see if there is still some info using the API. You could also check the GitHub activity log. Some sites “cache” or scrape GitHub repos as well that might provide more insight.
@[email protected] Great, thank you!
You can have Linus Torvalds listed in your private repo as a contributor if you just push a commit with his email address in
git config user.email
. Probably something similar.Based on the username, they are trying to DOS github by tagging an unexpected number of users. GL lol.
@[email protected] yeah, that’s kinda what I figured might be happening, but I thought I should still ask the experts, just in case. I used to work in cybersecurity, but that was back in the #Sasser worm era (IYKYK 😅), so I’m more than a little rusty.