Hackers compromised Gentoo Linux GitHub Page and planted a malicious code

The development team of the Gentoo Linux distribution notifies users that hackers compromised one of the GitHub accounts and planted a malicious code.

Developers of the Gentoo Linux distribution announced that hackers compromised one of the GitHub accounts used by the organization and planted a malicious code.

“Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there.” Gentoo wrote on its website.

“We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised,” 

The Gentoo developer Francisco Blas Izquierdo Riera confirmed that attackers took control over the Gentoo repository on Github and replaced the portage and musl-dev trees with malicious ebuilds intended to delete all files from a system. The malicious software could not work on GitHub and the development team has already removed it.

“I just want to notify that an attacker has taken control of the Gentoo organization in Github and has among other things replaced the portage and musl-dev trees with malicious versions of the ebuilds intended to try removing all of your files.” explained  Francisco Blas Izquierdo Riera.

“Whilst the malicious code shouldn’t work as is and GitHub has now removed the organization, please don’t use any ebuild from the GitHub mirror ontained before 28/06/2018, 18:00 GMT  until new warning.”

What is an ebuils?

“An ebuild file is a text file, used by Gentoo package managers, which identifies a specific software package and how the Gentoo package manager should handle it. It uses a bash-like syntax style and is standardized through the EAPI version.” reported Gentoo.

“Gentoo Linux uses ebuilds as the package management format for individual software titles. These ebuilds contain metadata about the software (the name and version of the software, which license the software uses, and the home page), dependency information (both build-time as well as run-time dependencies), and instructions on how to deal with the software (configure, build, install, test …).”

According to Gentoo, the code hosted on its own infrastructure is not impacted. The Gentoo repository mirrors are hosted in a separate GitHub account that were not affected by the security breach.

Gentoo users have been informed not to utilize any ebuilds downloaded from the compromised GitHub account prior to 18:00 GMT on June 28, 2018.

As part of the incident response, GitHub has suspended the hacked account, users can verify the signature of the commits to stay secure.

“All Gentoo commits are signed, and you should verify the integrity of the signatures when using git,” Gentoo said.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Linux, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]