Apart from cost, a great attraction of open-source software is the very fact that it is open–you may inspect the code for malicious content and determine whether or not you’re comfortable including it in your project. That’s a lot of work, though, and many people don’t do it, taking on trust that the transparency and self-regulated nature of the open source community means that “someone, somewhere must have checked this out, right?”
GitHub, of course, is fast becoming the de facto repository of the open-source movement, with usage statistics placing it well ahead of older favorites like Codeplex and SourceForge (link to https://www.software.ac.uk/resources/guides/choosing-repository-your-software-project for details).
This hasn’t gone unnoticed by the bad guys, with an interesting new trend for malware targeted at developers on GitHub. Why target developers? Because they will likely also have access to privileged accounts on systems and other information of use to hackers. Compromising a developer can result in significantly more rewards for a malicious actor.
READER BE AWARE: The research note linked to below contains example code, and may trigger alerts from security software in your browser, or if copied/pasted to an email or other document. This doesn’t indicate an attack, but rather that potentially malicious code has been identified. As ever, though, we do recommend that you protect your systems with correctly installed and maintained anti-virus and anti-malware tools. Here is the link: http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/