Gentoo GitHub Injected with Malware
On June 28, 2018, Gentoo released a notice that their mirror-hosted operating system code on GitHub was compromised by unknown threat actors and injected with malware. The malicious code was inserted into the Gentoo, musl, and systemd repositories within the portage and musl-dev trees. The malware attempts to delete all local system files through ebuilds, bash scripts that automate software installations. GitHub assured users who performed downloads from the official site, gentoo.org, using rsync or webrsync were not affected. Github has since reverted the corrupted repositories on GitHub to a clean state and disabled the compromised user account. Additionally, Gentoo plans to implement multi-factor authentication (MFA) to ensure authorization of legitimate users in the future. All Gentoo GitHub commits are officially signed, and those who make future downloads can verify the legitimacy of these signatures. The NJCCIC highly recommends users who made a GitHub download from Gentoo prior to 1:00PM EST on June 28, 2018 avoid using any impacted ebuilds and consider backing up data and reinstalling the operating system from the official site. For further updates on this matter, please review the Gentoo’s incident page and notice.