Threat actors use GitHub to distribute malware

[Daniel Puchert]

GitHub vulnerability allows for undetected malware distribution

A vulnerability has been found in Microsoft’s GitHub version control platforms that lets threat actors distribute malware in public repositories.

Bleeping Computer noticed the problem when investigating a Lua malware loader distributed through a legitimate Microsoft GitHub repository called “vcpkg”.

 

[Jet-Fighter7700]

isnt Github owned by Microsoft? another corporate failure?

 

[Stinkbeaver]

isnt Github owned by Microsoft? another corporate failure?

I actually thought it was one of their few success stories but I maybe wrong.

 

[Fulcrum29]

This isn't anything new, but it is usually well clamped down on. Cloned repositories also require a thorough review.

 

[Fulcrum29]

As it turns out, the malware was never actually uploaded to the project source code; instead, the threat actors added it as a comment on a commit or issue in the project.

Seen this too, though there are third-party monitoring tools which can be used. It does not accommodate everyone.

This:

Clarifying the situation for users on Twitter/X, he added, “[W]hat attackers have been doing is uploading malware in ZIP files that look like release assets to large open-source repositories.”

Yeah.

 

[r00igev@@r]

This is a Linux vulnerability.

 

[Swa]

How is this classified as a vulnerability? You allow anyone to upload files and then are surprised when people download and use them.

 

[gregmcc]

How is this classified as a vulnerability? You allow anyway to upload files and then are surprised when people download and use them.

Yeah, not really a vulnerability. This is due to bad practices.

1 - Github repos are not scanned for malware.
2 - Uploaded files are never removed even after you remove your comment.

isnt Github owned by Microsoft? another corporate failure?

Just came across this gem

Why Microsoft is a national security threat

With little competition at the goverment level, Windows giant has no incentive to make its systems safer

www.theregister.com

 

[Johnatan56]

2 - Uploaded files are never removed even after you remove your comment.

Just wanted to add to this: If added to issues/PR*

Ability to delete uploaded files and/or disable file upload in Issues or PRs at org level · community · Discussion #11984

Users cannot delete files that are uploaded to GitHub issues or PRs. This lack of functionality poses business risks to users and alone is sufficient to prompt orgs to consider switching to GitLab ...

github.com

Had an issue with someone uploading something non-GDPR compliant in our enterprise repo, it's either open Github support ticket or swap repo visibility (public -> private or vice versa).
We ended up just restricting repo access for a day until Github support removed it.