hey everyone,
You probably have seen this X post about a list of people from North Korea which contributed to certain crypto projects or worked for crypto companies until they were uncovered. As paritytech organization holds multiple repositories, Parity Security wanted to have a quick way to check situations like this in the future and be able to have visibility as soon as possible.
Today, we would like to introduce the mlctrib-cli which enables anyone to run and do due diligence on the matter with the use of the CLI or the GitHub Action. The tool enables to search for specific malicious contributors inside a GitHub organization, and on top of it, look at the GitHub employee’s usernames (if you use Humaans) to check if the enemy is with you
You can run the CLI while providing the credentials necessary for it, if you feel more comfortable running things in that way, however, as security tooling should empower cross teams and lower the usage barrier, you can use it as a GitHub Action directly, like the following example:
name: Run Malicious Contributors Checker
on:
workflow_dispatch: # Allows the workflow to be triggered manually
inputs:
org:
description: "GitHub organization name"
required: true
default: "paritytech"
search_type:
description: "Search by GitHub usernames or emails"
required: true
default: "github"
options:
- github
- humaans
search_file_content:
description: "Comma-separated usernames or emails"
required: true
jobs:
run-cli:
runs-on: ubuntu-latest
steps:
- name: Checkout CLI repository
uses: actions/checkout@v4
with:
repository: paritytech/mlctrib-cli
token: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: "latest"
- name: Create search file
run: echo "${{ github.event.inputs.search_file_content }}" | tr ',' '\n' > search_values.txt
- name: Install dependencies
run: npm install
- name: Run malicious-contributors CLI
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HUMAANS_API_KEY: ${{ secrets.HUMAANS_API_KEY }}
run: |
if [ "${{ github.event.inputs.search_type }}" == "github" ]; then
node main.js --org ${{ github.event.inputs.org }} --file search_values.txt --github > output.txt
else
node main.js --org ${{ github.event.inputs.org }} --file search_values.txt --humaans > output.txt
fi;
shell: bash
- name: Upload output file
uses: actions/upload-artifact@v4
with:
name: malicious-checker-output
path: output.txt
Instructions about all the cli usage are in the README, so a bit of graphical step by step here in case you go for the GitHub Action:
If you want to trigger a search of GitHub usernames across the organization for contributions and match with Humaans, set the action in the following way:
if you have an email, and want to check if GitHub contributions and match in Humaans, then you can run the action in this way:
That’s all, no need to worry about API keys or running locally, just trigger the action, is available to anybody inside the paritytech organization. After the run finishes, you go into the trigger you made and in the Artifacts sections download the compressed result with the report:
Small note: put 3 usernames max, because if your organization has +500 repos as paritytech, the run will get rate limited
Let us know if it’s useful, want to extend it to support other employee platforms, or have problems running it. Every improvement is welcome and maybe someone figures out a way to efficiently pass the rate limit