Techly NewsGet the app

Get the latest tech news

Ghrc.io appears to be malicious


A simple typo of ghcr.io to ghrc.io would normally be a small goof. You’d typically get a 404 or similar error, finally work out the issue, fix it, and move along. But in this case, that typo appears to be doing something very malicious, stealing GitHub credentials. What’s ghcr.io? First, a quick bit of background. ghcr.io is an OCI conformant registry for container images and OCI artifacts used by a lot of projects. It’s part of GitHub and is a very popular image and artifact repository used by open source projects.

The important detail is this www-authenticate header is telling OCI clients, like Docker, containerd, podman, and the various CRI’s used by Kubernetes, to send their user credentials to that https://ghrc.io/token API. If you’ve ever accidentally performed the login to the wrong server, you should change your password, revoke any PATs you used, and look for any potentially malicious activity in your GitHub account. An attacker could use it to push malicious images to your ghcr.io repositories, or they may gain access to your GitHub account directly depending on what login credentials were used.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Ghrc.io

Ghrc.io

« Vietnam Billionaire’s Taxi Firm Takes On Grab in Southeast Asia
Show HN: Sping – An HTTP/TCP latency tool that's easy on the eye »