Gentoo Github mirror hacked, team says ‘all code considered compromised’

• Gentoo has since managed to regain control of the Gentoo Github organization
• "All Gentoo code hosted on GitHub should for the moment be considered compromised,” the team said.

Popular Linux distributor Gentoo said its Github repository was hacked by unknown threat actors who changed GitHub pages and replaced ebuilds with malicious ones.

"The attacker gained control of the Github Gentoo organization," Gentoo said in an alert. "All Gentoo code hosted on GitHub should for the moment be considered compromised."

However, Gentoo said the breach did not affect any code hosted on the Gentoo infrastructure.

“Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org,” the team said. “Also, the gentoo-mirror repositories including metadata are hosted under a separate Github organization and likely not affected as well.”

About Gentoo

Gentoo is a free operating system based on either Linux or FreeBSD that can be automatically optimized and customized for any application or need. Gentoo also allows you to easily make your own packages (ebuilds) via the build system, and even patch software yourself. It is used as a base for the Google Chrome OS.

However, given its extensive usage and distributive advantages, it also poses as a ripe gateway for hackers to poison and spread their malicious activities.

How did the attack happen?

According to a post on the Gentoo-dev list, the attackers replaced portage and musl-dev trees with ebuilds that would try to remove all the files on a user's system.

How can users remain safe from the attack?

Gentoo has since managed to regain control of the Gentoo Github organization.

“We are currently working with Github on a procedure for resolution,” the team said. “Please continue to refrain from using code from the Gentoo Github Organization. Development of Gentoo primarily takes place on Gentoo operated hardware (not on github) and remains unaffected. We continue to work with Github on establishing a timeline of what happened and we commit to sharing this with the community as soon as we can.”

“The Gentoo Infrastructure team have identified the ingress point, and locked out the compromised account,” it added.

The public alert did not reveal exact details about who the attackers were or how they managed to infiltrate the Github organization.

“Gentoo is presently waiting for GitHub support to review & revert unauthorized changes,” they said.