The Other Lesson from the XZ Utils Supply-Chain Attack

“The best supply chain attack execution ever seen” might sound like yet another hyperbole designed to attract attention, except in the case of the recent XZ Utils case, it was not. Even the most seasoned professionals were left in awe of the sophistication and damage potential the world nearly escaped.

For those who might have missed it, a few weeks ago, a developer discovered through sheer luck—and grit—that a malicious backdoor was present in the widely used open-source compression utility XZ Utils. The backdoor had been intentionally planted in the utility with the intention of gaining virtually unlimited access to most of the servers powering the global infrastructure.

The open-source community’s swift response to the recent security incident was nothing short of remarkable. Within mere days of the initial report, the attack was not only identified but fully resolved—all before the compromised version of the tool could spread widely. It’s a powerful reminder of the advantages of open source: had this been closed-source code, who knows if the breach would have even been detected, let alone fixed so quickly? Hopefully, this major incident will prompt the industry to develop more sustainable approaches to open-source software—and, maybe, to make the classic xkcd comic “Dependency” less reflective of the current state of software development.

But from a security standpoint, there’s another key takeaway here: in today’s world of supply-chain attacks, failing to include GitHub in your attack surface mapping could rapidly become a very costly mistake – especially for companies not actively involved in open-source development themselves.

GitHub: A Double-Edged Sword

GitHub’s meteoric rise in popularity has made it an irresistible target for hackers and cybercriminals. With over 300 million public repositories and 100 million users, the platform’s vast attack surface provides ample opportunities for malicious actors to exploit. GitHub’s widespread adoption across industries, from tech giants to government agencies, means that a single vulnerability or compromised account can have far-reaching consequences.

GitHub was the staging ground for Jia Tan, the (likely fake) profile that patiently built up a history of credibility in preparation for the XZ Utils sabotage. But this is just one example of how threat actors are using the platform to deceive developers: recently, attackers impersonated Dependabot (a bot that checks for outdated dependencies and suggests ready-to-merge changes) to exfiltrate secrets from hundreds of repositories. A study revealed that millions of repositories are potentially vulnerable to “RepoJacking,” a supply chain attack that allows malicious actors to gain control over a GitHub namespace by registering a newly available username. The platform’s open nature and collaborative features, while essential for fostering innovation, also make it an ideal hunting ground for threat actors. Hackers can easily create accounts, contribute to projects, and even set up malicious repositories that masquerade as legitimate ones.

They can also harvest sensitive data inadvertently exposed on the platform, particularly secrets, of which 12.8 million were exposed just in 2023. This highlights the urgent need for organizations to seriously consider monitoring their GitHub footprint.

The State of Secrets Sprawl

The proliferation of code repositories on GitHub amplifies the risk of sensitive information being exposed, both accidentally and deliberately. In its 2024 edition of the State of Secrets Sprawl, code security company GitGuardian reports that a staggering 12.8 million new secrets occurrences leaked publicly on GitHub in 2023, marking a 28% increase from the previous year. This trend is even more concerning considering the quadrupling of such incidents since 2021.

The report identified over 1 million valid occurrences of Google API secrets, 250,000 Google Cloud secrets, and 140,000 AWS secrets leaked. Many of these leaks concerned enterprise-owned credentials, with the IT sector accounting for nearly 66% of all detected leaks. However, the issue spans various industries, including Education, Science and tech, Retail, Manufacturing, Finance and insurance, highlighting the exposure of many different industries on the code-sharing platform.

One of the report’s most alarming findings is that many of these credentials stay valid for a long time, even if the code hosting them disappears from public exposure. A staggering 90% of valid secrets remain active for at least five days after the author is notified, leaving organizations at risk of being vulnerable to what the report calls “zombie leaks.” These are lingering credentials that were erased but not invalidated. Because they are still valid and exploitable, they represent an invisible but high-impact vulnerability that could provide attackers with a stealthy way to infiltrate systems.

This critical security gap underscores the urgent need for organizations to implement robust secrets management practices and automate the remediation process to minimize the impact of leaked secrets.

Lessons Learned from the XZ Utils Backdoor Incident

This story underscores a painful but critical truth: that open-source security is not just a concern for IT departments or tech companies—it’s a business imperative for all. Today, every organization, regardless of its open-source activity, should prioritize the security of these shared codebases and consider platforms like GitHub integral to their attack surface.

Implementing a comprehensive monitoring and auditing strategy can help organizations mitigate the risk of seeing a key exploited by a malicious actor. For that, they need the ability to identify leaks outside of the repositories over which the organization has control, such as personal or open-source repositories. This can be achieved with regular scanning of repositories for exposed secrets, such as API keys, database credentials, and access tokens, which can serve as entry points for attacks.

Investing in automated monitoring and auditing tools can significantly streamline the process and reduce the burden on security teams. These tools can continuously scan repositories, provide real-time alerts, and generate comprehensive reports, enabling organizations to maintain a strong security posture on GitHub.

Moreover, auditing GitHub repositories can uncover hidden threats, such as malicious code injections, backdoors, and supply chain attacks. By thoroughly reviewing code changes, commit histories and contributor activities, organizations can detect suspicious patterns and take swift action to mitigate risks.

However, it is essential to note that monitoring and auditing alone are not sufficient. Organizations must also establish clear policies and procedures for responding to identified risks and vulnerabilities. This includes implementing efficient incident response plans, conducting regular security training for developers, and fostering a culture of security awareness throughout the organization.

By prioritizing proactive monitoring and auditing of GitHub repositories, organizations can effectively reduce their attack surface, protect their valuable assets, and ensure the integrity of their software supply chain. In an era where supply chain attacks are becoming increasingly sophisticated and prevalent, neglecting GitHub security is a risk no organization can afford to take.

About the Author

Thomas Segura, Developer Advocate at GitGuardian has worked as both an analyst and a software engineer consultant for various large French companies. His passion for tech and open-source led him to join GitGuardian as a technical content writer. He now focuses on clarifying the transformative changes that cybersecurity and software are undergoing.

Thomas can be reached online at: https://www.gitguardian.com Twitter: https://twitter.com/GitGuardian and LinkedIn: https://www.linkedin.com/company/gitguardian