Hacker Removes Git Repositories, Demands Ransom From Developers to Restore Their Source Codes


At least 392 GitHub repositories have been compromised. The hacker threatens to make the code public if the developers don’t pay the ransom in 10 days.  

Open source software development platform GitHub has been reportedly hacked for ransom.

As reported by ZDNet late on Friday, a hacker has wiped and replaced hundreds of GitHub repositories and is asking ransom from the developers in order to restore their source codes.

The attacks are apparently happening across Git hosting services including GitHub, Bitbucket and GitLab. A GitHub search revealed that at least 392 GitHub repositories have been compromised.

After removing all source code and recent commits from the victims’ Git repositories, the hacker left a ransom note behind asking for a payment of 0.1 Bitcoin (~$570), according to the report.

The hacker claims all source code has been downloaded and stored on one of their servers. The victims have been asked to pay the ransom in 10 days, failing which the hacker has threatened to make their code public.

The ransom message reads –

To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at admin@gitsbackup.com with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your code public or use them otherwise.

How the hacker got into the code repositories?

Evidence suggests that the hacker has scanned the entire internet for Git config files, extracted credentials, and then used these logins to access and ransom accounts at Git hosting services.

Kathy Wang, Director of Security for GitLab, told ZDNet that they have identified affected user accounts and all of those users have been notified.

“As a result of our investigation, we have strong evidence that the compromised accounts have account passwords being stored in plaintext on a deployment of a related repository,” Wang was quoted as saying.

Meanwhile, in a great relief to the developers, members of the StackExchange Security forum have found that the hacker does not actually delete, but merely alters Git commit headers. This means code commits can be recovered in some cases.




Please enter your comment!
Please enter your name here