Hackers stole the source code of American government departments

The FBI has sent out a warning that hackers are exploiting vulnerabilities in SonarQube servers and using this to steal

source code from US government departments and private companies.

According to the FBI, such attacks are carried out usingat least since April 2020. Agents warn users of SonarQube about them, a web application that companies build into their software to check the quality of code and detect errors and vulnerabilities in their projects. SonarQube applications connect to services such as GitHub or Azure DevOps.

The FBI said that some companies left such systems unprotected, running on their default configurations (on port 9000) with default administrator accounts (admin).

Hackers used this, accessed the connected repositories, and then stole the source code. Among the victims were US government agencies.