Downloaded anything from Gentoo’s GitHub account yesterday?
Consider those files compromised and dump them now—as an unknown group of hackers or an individual managed to gain access to the GitHub account of the Gentoo Linux distribution on Thursday and replaced the original source code with a malicious one.
Gentoo is a free open source Linux or FreeBSD-based distribution built using the Portage package management system that makes it more flexible, easier to maintain, and portable compared to other operating systems.
In a security alert released on its website yesterday, developers of the Gentoo Linux distribution warned users not to use code from its GitHub account, as some “unknown individuals” had gained its control on 28 June at 20:20 UTC and “modified the content of repositories as well as pages there.”
According to Gentoo developer Francisco Blas Izquierdo Riera, after gaining control of the Gentoo Github organization, the attackers “replaced the portage and musl-dev trees with malicious versions of the ebuilds intended to try removing all of your files.”
Ebuild are bash scripts, a format created by the Gentoo Linux project, which automates compilation and installation procedures for software packages, helping the project with its portage software management system.
“We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised,” the alert said.
However, Gentoo assured its users that the incident did not affect any code hosted on the Gentoo’s official website or the mirror download servers and that users would be fine as long as they are using rsync or webrsync from gentoo.org.
This is because the master Gentoo ebuild repository is hosted on its own official portal and Github is just a mirror for it.
“Also, the gentoo-mirror repositories including metadata are hosted under a separate Github organisation and likely not affected as well. All Gentoo commits are signed, and you should verify the integrity of the signatures when using git,” the developer said.
In an update later on its website, the organisation said it has regained control of the Gentoo Github Organization, but advised users to continue to refrain from using code from its Github account, as they are still working with Github, which was recently acquired by Microsoft for US$7.5 billion, on establishing a timeline of what happened.
If you are the one who have downloaded Gentoo Linux images from GitHub instead of its official website, you are highly recommend to backup your content and reinstall the OS from scratch.