
Ask HN: Remote repos being used for C2 botnet, or VMS scan? - paddlepop
Observation:
A number of external repos are having malicious <i>looking</i> repositories being created with the pattern &quot;;[6 alphanum]&lt;ScRiPt&gt;[4 alphanum]([4 num])&lt;&#x2F;;[6 alphanum]&quot;. For example &quot;;0MhPC1&lt;ScRiPt&gt;r7kK(9626)&lt;&#x2F;;CD4u6&quot;<p>All appear to be running JFrog Artifactory<p>The remote repos we have identified are:
http:&#x2F;&#x2F;repo.gradle.org&#x2F;gradle&#x2F;repo&#x2F;
https:&#x2F;&#x2F;repo.datastax.com&#x2F;dse&#x2F;
https:&#x2F;&#x2F;maven.openflexo.org&#x2F;artifactory&#x2F;openflexo-deps&#x2F;
https:&#x2F;&#x2F;qasymphony.jfrog.io&#x2F;qasymphony&#x2F;repo&#x2F;<p>Possible Scenarios:<p>1 - Someone is running some kind of daily vulnerability scan against these repos. This is inadvertently testing the create repo name field for XSS which is then submitted, creating the repo.<p>2 - Repos are being created for use as a botnet communication channel - pretty clever in my opinion to use remote repos as a means to bypass internal network restriction.<p>Any owners able to tell if the creator is distributed?
======
Jlleitschuh
As a company working for one of the companies impacted by this weirdness we
are just as concerned about the potential implications here as you are. We
have followed up with JFrog about this and are waiting for a response from
them about this.

I'm glad others are seeing these weird things too and it's giving them pause
as well.

