Security researchers have found over 35,000 code repositories with malicious forks or clones leading back to a single source. Malware in the tainted code repositories is designed to steal environment variables, stored elements that serve as authentication for various online services.
GitHub says that the OAuth tokens were not stolen via a breach of its own systems, but that dozens of private repositories were accessed. OAuth tokens that were issued to two third-party integrators, Heroku and Travis-CI.
GitHub users leaked their login cookies by committing cookies.sqlite database to their public projects from their Linux home directory, exposing their accounts to potential compromise.



