Cyber Incident Victim: GitHub

On June 28, 2018, an unidentified attacker compromised the GitHub account of the Gentoo Linux organization, gaining temporary control over its repository. The attacker embedded malicious code within Gentoo's distributions hosted on GitHub, specifically targeting the portage and musl-dev trees by inserting harmful ebuilds. This code was designed to execute file-wiping malware that would delete user files upon activation. However, due to a failure in proper execution, the malicious payload did not trigger as intended, preventing widespread data loss. Gentoo developers, including Francisco Blas Izquierdo Riera, identified the tampered code and initiated an investigation to assess the breach's scope. The organization confirmed that the compromise was limited to its GitHub mirror and did not affect code hosted on Gentoo's primary infrastructure. Users who downloaded distributions from the GitHub mirror during the compromise window were advised to restore systems from backups or perform clean installations to eliminate potential risks.

Gentoo's team regained control of the GitHub account shortly after detecting the intrusion, though their profile remained offline at the time of public disclosure on June 29. The organization emphasized that its core servers and services were unaffected, as GitHub served only as a secondary mirror for code distribution. No method of initial access was disclosed, and the investigation into the attack’s origin and full extent remained ongoing. The incident highlighted operational reliance on external platforms while underscoring the effectiveness of Gentoo’s segregated infrastructure in limiting damage. Users faced disruption from the temporary repository unavailability but avoided data destruction due to the malware’s execution failure. Gentoo maintained transparency through direct communications but did not release additional technical specifics about the attacker’s identity or motives beyond confirmed code alterations.