GitHub Community
Sha1-Hulud: The Second Coming. #180416
-
Select Topic AreaQuestion BodyMy repository https://github.com/koldakov/futuramaapi just received about 100 stars within one hour. I noticed that some users who starred my repo have repositories like Sha1-Hulud: The Second Coming.. with the weird name like ofhjujkqfh8ouifv31. I'm concerned whether these accounts are legitimate or potentially compromised. Do I need to take any action to secure my repository or account, or is this safe to ignore? |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 1 reply
-
|
Me too, at the same time it seems you have posted this, meel-hd/lofi-engine got around 100 stars too. I found out it is related to a supply chain attack that's propagating at the moment: https://www.sysdig.com/blog/return-of-the-shai-hulud-worm-affects-over-25-000-github-repositories The article says it gets to your machine via npm insattaled packages that were compromised. Then it scans for any api or access tokens, like GitHub, GCP, Azure. And when it finds a GitHub token of your account it pushes into a new repo under your account with all those secrets. So if your GitHub account doesn't have that weird repo, I guess its safe. This scared the f out me, when I found out about. I don't know why it stars random repos, but I guess it does that to look as normal GitHub users not as a bot. @koldakov if you found out anything plz post it in this discussion. This is scary. |
Beta Was this translation helpful? Give feedback.
-
|
Yes this is an attack, please read about it here: https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24 |
Beta Was this translation helpful? Give feedback.
-
|
https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack |
Beta Was this translation helpful? Give feedback.
-
|
👋 Welcome to the GitHub Community, @koldakov! Congratulations on your first post! 🎉 Thanks for reporting this, you're right to be cautious. The pattern you've described is consistent with bot or compromised accounts engaging in coordinated or inauthentic activity. Receiving stars from these accounts does not compromise your repository or your personal account. Your repo remains secure. You can report the suspicious accounts using GitHub's abuse reporting tools. This helps GitHub's Trust & Safety team identify and take action on inauthentic behavior. GitHub actively monitors for and removes accounts violating our Acceptable Use Policies. If you notice further unusual activity or have additional concerns, feel free to reach out to GitHub Support. Thanks for being vigilant and helping keep GitHub safe! 🚀 |
Beta Was this translation helpful? Give feedback.
👋 Welcome to the GitHub Community, @koldakov! Congratulations on your first post! 🎉
Thanks for reporting this, you're right to be cautious. The pattern you've described is consistent with bot or compromised accounts engaging in coordinated or inauthentic activity.
Receiving stars from these accounts does not compromise your repository or your personal account. Your repo remains secure.
You can report the suspicious accounts using GitHub's abuse reporting tools. This helps GitHub's Trust & Safety team identify and take action on inauthentic behavior.
GitHub actively monitors for and removes accounts violating our Acceptable Use Policies.
If you notice further unusual activity or have addit…