GitHub Comments: A Growing Platform for Malware Distribution

Researchers have noticed that hackers are abusing GitHub to distribute malware. For example, malicious actors are using URLs associated with Microsoft repositories, making the files appear safe.

Last week, McAfee experts fake cheating software that was actually a modified version of the Redline infostealer. While investigating this campaign, researchers observed that the malicious payloads of fake cheats were using URLs related to the GitHub repository vcpkg, owned by Microsoft:

https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
https://github[.]com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip

Reporters at Bleeping Computer found it odd that Microsoft’s repository has been distributing malware since February 2024 without anyone noticing, and no references to the mentioned files were found in the project’s source code.

The publication’s journalists decided to investigate and discovered that the files were not part of vcpkg but had been uploaded as comments to commits and issues.

When leaving a comment on GitHub, a user can attach a file to it, which will be uploaded to the GitHub CDN and associated with the respective project using a unique URL format: https://www.github[.]com/{project_user}/{repo_name}/files/{file_id}/{file_name}. For videos and images, the file path will use /assets/.

The link is automatically generated when adding a file to a comment

Instead of generating the URL after the comment is published, GitHub automatically creates a download link immediately after adding a file to an unsaved comment. This allows hackers to associate their malware with any repository without the knowledge of its owners.

Furthermore, even if the comment is eventually not published (or is deleted right after publication), the files will not be removed from the GitHub CDN, and the URLs will continue to work.

Journalists note that the repository name of the victim company is still visible in the URL, enabling malicious actors to create sophisticated and believable lures.

For example, a hacker could upload a malicious executable file to a Nvidia repository under the guise of driver installation, with the malware pretending to be a new driver fixing issues in a popular game. Alternatively, an attacker could upload a file in the comments to the Google Chromium source code, claiming it to be a new experimental browser build.

Even if a company discovers that its repositories are being used to distribute malware, there are no settings to manage files attached to projects. Therefore, the only way to protect a GitHub account from such abuse is to disable comments, which can only be done temporarily, for up to six months.

Sergei Frankoff, a specialist at the UNPACME automated malware analysis service, conducted a live stream on Twitch last month dedicated to this issue, stating that hackers are actively exploiting it.

While investigating the issue, Bleeping Computer managed to find another repository (httprouter) that was also used to distribute malware. Interestingly, it was the same fake cheat Cheater.Pro.1.6.0.zip as with the Microsoft URLs.

However, Frankoff informed the publication that in March, he discovered another similar campaign involving the same LUA loader, SmartLoader, disguised as cheating software Aimmy. According to the expert, SmartLoader is typically installed alongside other payloads, such as the aforementioned RedLine stealer.

Bleeping Computer reached out to GitHub and Microsoft regarding this issue but did not receive a response. Over the weekend, GitHub removed the malware associated with Microsoft’s repositories. However, the malware linked to httprouter and Aimmy remains accessible, and their URLs are still functional.

UPD.

Bleeping Computer discovered that a similar issue affects GitLab as well. In this case, the generated file links also remain active even if the comment was not published or was deleted immediately.

0 / 5

Your page rank:


Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment