Ghrc.io Appears to Be Malicious
17 days ago
- #github
- #container-registry
- #cybersecurity
- A typo in 'ghcr.io' to 'ghrc.io' can lead to credential theft.
- 'ghcr.io' is a popular OCI-compliant container registry by GitHub.
- 'ghrc.io' mimics a default nginx setup but responds to OCI API calls with authentication prompts.
- The malicious behavior involves the 'www-authenticate' header directing clients to send credentials to 'ghrc.io/token'.
- Credentials are only stolen if users mistakenly log in or configure services for 'ghrc.io'.
- Affected users should change passwords, revoke PATs, and monitor GitHub for suspicious activity.