Developers of the Gentoo Linux distribution warned users on Thursday that one of the organization’s GitHub accounts was compromised and that malicious code had been planted by the attackers.
“Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised,” Gentoo said on its website.
According to Gentoo developer Francisco Blas Izquierdo Riera, the attacker replaced the portage and musl-dev trees with malicious ebuilds designed to remove all files from a system. However, the developer says the code doesn’t actually work as intended in its current form.
Ebuilds are bash scripts used by Gentoo Linux for its Portage software management system.
Gentoo pointed out that code hosted on its own infrastructure is not impacted and the Gentoo repository mirrors are hosted in a separate GitHub account that does not appear to be affected by the breach.
“Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org,” users have been told.
Gentoo users have been advised not to utilize any ebuilds obtained from the compromised GitHub account prior to 18:00 GMT on June 28, 2018. GitHub has suspended the hacked account.
“All Gentoo commits are signed, and you should verify the integrity of the signatures when using git,” Gentoo said.