Typo Domain ‘ghrc.io’ Poses GitHub Credential Theft Risk

Software engineer Brandon Mitchell has reported that the domain 'ghrc[.]io', which closely resembles GitHub's container registry, displays a typical default Nginx web server page, but its /v2/ endpoint mimics OCI behavior differently from default Nginx. Compared to other registries, the 401 status, www-authenticate header, and error message are similar to the OCI specification standard, but the www-authenticate header instructs various OCI clients, such as Docker, containerd, podman, and Kubernetes CRIs, to send user credentials.

Mitchell stated, 'There is no legitimate reason for this header to be configured on a default nginx installation, and the rest of the server indicates this is not a container registry. All indications point to this being a typosquatting attack aimed at credential theft.' For instance, credentials could be leaked by running 'docker login ghrc.io', using the 'docker/login-action' GitHub action and specifying ghrc[.]io as the registry, creating a Kubernetes secret with the registry credentials for ghrc[.]io, and then attempting to pull an image from the mistyped host.

Mitchell advised, 'If you accidentally logged in to the wrong server, change your password, disable any PATs you used, and check for any malicious activity within your GitHub account.' He warned that an attacker could use these credentials to push malicious images to the ghcr.io repository or, depending on the login credentials used, gain direct access to the GitHub account.