Gentoo Linux distribution alerted their users that hackers have compromised one of the GitHub accounts infecting it with malicious code.
“Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there.” Gentoo reported.
“We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised.”
According to Francisco Blas Izquierdo Riera, a Gentoo developer, the hackers took control over the Gentoo repository on Github and managed to replace the portage and musl-dev trees with malicious ebuilds attempting to erase all files from the system. As the malicious software could not work on GitHub, the development team removed it immediately.
“I just want to notify that an attacker has taken control of the Gentoo organization in Github and has among other things replaced the portage and musl-dev trees with malicious versions of the ebuilds intended to try removing all of your files.” Francisco Blas Izquierdo Riera said.
“Whilst the malicious code shouldn’t work as is and GitHub has now removed the organization, please don’t use any ebuild from the GitHub mirror obtained before 28/06/2018, 18:00 GMT until new warning.”
“An ebuild file is a text file, used by Gentoo package managers, which identifies a specific software package and how the Gentoo package manager should handle it. It uses a bash-like syntax style and is standardized through the EAPI version.” Gentoo explained.
Gentoo Linux said that the code hosted on its own infrastructure is not impacted. The good news is that the repository mirrors of Gentoo are hosted in a separate GitHub account, thus the security breach did not affect them.
The users of Gentoo have been warned not to utilize any ebuilds downloaded from the compromised GitHub account prior to 18:00 GMT on June 28, 2018. In addition, GitHub has suspended the hacked account, so that users could verify the signature of the commits to stay safe.
“All Gentoo commits are signed, and you should verify the integrity of the signatures when using git,” Gentoo reported.