Description
We are currently investigating suspiscious activity from an account with write access priviledge to go-gitea organization. A binary was added to releases across multiple go-gitea repositories. We cleaned up all releases and drop temporarily access from the account. We will investigate futhermore to understand what really happen to prevent it in the future and be transparent with you trough the process. In the meantime, if you find any suspicious activity please report them under this issue.
UPDATE: No source code or other Gitea infrastructure was affected, including https://dl.gitea.io/ so it's safe to use it to download Gitea binaries.
GitHub account that was hacked is under full control and also have set 2FA so this should not happen in future again.
What was done:
- Most of
go-gitea
organization repositories new release&tag was created with name0
and addedinstall.exe
binary (13KB in size) to that release that was malicious (from our analysis contained crypto currency miner). All these releases and binaries was deleted within 2-3 hours from when they were added. - Also 1.4.2 release windows Gitea .exe binary on GitHub was replaced by same 13K binary as above. So if Gitea is working, you are safe.
- Just in case we did retag 1.4.2 to trigger CI to rebuild binaries so sha256 will be different now as it was before retag.
We have contacted GitHub but have not received any answer from them, yet
UPDATE2:
No actual gitea binaries were compromised so all hashes mentioned in comments below are safe.
SHA256 of malicious .exe
file:
bfc5a0358b1ad76ffbc1e1f4670bd3240536e2fbac88272cee3003322a15fffe
UPDATE3:
v1.4.2 has been rereleased at about 2018-06-07 20:00:00 UTC+08