A hacker is making the rounds and attacking Git hosting services like GitHub, Bitbucket, and GitLab. The attacks reportedly started on May 3, and as of now, it is unclear how the hacker is gaining access to these repositories. What is known, however, is that the hacker is removing all source code and recent commits from the victim Git repository.
In the place of the code that was located in the repositories, the hacker leaves a note that asks for a payment of 0.1 Bitcoin, which is worth about $570 right now. The hacker claims that all of the source code is downloaded and stored on their own personal server. The note gives the victim ten days to pay the ransom and if it isn't paid, the code is to be made public.
For the skeptical victims out there, the hacker says that they can email them and they will send proof that they have the code. The ransom demand does threaten to make the code public "or use them otherwise" if the victim doesn't pay. It's not clear if the account has received funds at this time.
Reports indicate that at the time of writing at least 392 GitHub repositories had been ransomed. The bitcoin account for the hacker had been reported to BitcoinAbuse 27 times as of today, which was also the first time the site database indexed the address.
While it's unclear how the hacker gained access to so many accounts, some of the hacked accounts have reportedly admitted to using weak passwords or forgetting to remove access to old apps they hadn't used in a while. There is evidence that the hacker scanned the internet for Git config files, extracted the credentials, and use those logins to access and ransom accounts at Git hosting services.
Microsoft purchased GitHub in June of 2018.