Hackers have found a way to upload malware to GitHub, and even have it look as if it was hosted and distributed by other, legitimate operators.
This is according to a new report from cybersecurity researchers McAfee, who recently saw the LUA malware loader being distributed through what seems to be Microsoft’s GitHub repository.
However the malware uploaded to GitHub has some curious features that make it very difficult to spot
Here is an example of what a link to the malware looks like:
https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
Even though it would seem, from the link, that the .zip file was uploaded to the vcpkg library, opening it directly and looking for the archive will yield no results.
Apparently, when a user wants to leave a comment on a commit or an issue, they can also add a file to that comment. That file will automatically be uploaded, and a link will be generated which looks like the one above. The “best” thing about it is that the user can post, and quickly delete the comment, and the file will remain uploaded and available. What’s more, they don’t even have to post the comment, as drafting it will yield the same result.
Right now there isn’t any indication if this is a bug, or an intended feature on GitHub’s side, but according to BleepingComputer, there is very little victim companies can do to protect themselves from being impersonated this way.
The only solution is to disable comments altogether, but that brings more problems than it solves. Legitimate users will often take to the comments section to report bugs, or give quality suggestions for the project. What’s more, comments can only be disabled for a maximum of six months at a time.