Hacker Deletes GitHub Code Repositories to Demand a Bitcoin Ransom

Francisco Memoria

A hacker has reportedly been breaking into GitHub accounts to wipe code repositories, to then demand a ransom in bitcoin from its owners. The attacker threatens to make the code public, or to use it for his own ends.

According to ZDNet, the attack has hit at least 392 different GitHub repositories, and defaced them with a ransom note asking for 0.1 BTC ($558) and an email proving the payment has been made.

The attack is reportedly also hitting code repositories in services similar to GitHub, including Bitbucket and GitLab. The attacker is said to have been managing to delete the code on these repos by accessing accounts using weak passwords, or credentials leaked over separate services.

In a statement, GitHub stated:

At this time, it appears that account credentials of some of our users have been compromised as a result of unknown third-party exposures. We are working with the affected users to secure and restore their accounts.

Speaking to Motherboard, a security researcher at Atlassian, which owns Bitbucket, revealed that as many as 1,000 users could’ve been affected by the hacks. Currently, it remains unclear if any valuable cod was affected, as many repositories are public, and there are various largely unused and poor projects on GitHub.

In a security advisory, Bitbucket claimed it was set to restore affected repositories in the near future, while one victim stated he managed to recover the affected code by “accessing a commit’s hash.”

Currently, the hackers’ bitcoin address doesn’t seem to have received any ransom payments, as at press time it has received a 0.0005 BTC transaction, which makes up its total balance. To protect its users, GitHub and the other services are recommending the usage of two-factor authentication methods.