GitHub vulnerability allows for undetected malware distribution

A vulnerability has been found in Microsoft’s GitHub version control platforms that lets threat actors distribute malware in public repositories.
Bleeping Computer noticed the problem when investigating a Lua malware loader distributed through a legitimate Microsoft GitHub repository called “vcpkg”.
When looking into how the malware made its way into the repository, they found no reference to the files in the project’s source code.
The malware had been distributed since February, which raised questions about how it had been able to do so for that long without being detected.
As it turns out, the malware was never actually uploaded to the project source code; instead, the threat actors added it as a comment on a commit or issue in the project.
GitHub users can leave comments that allow attachments, such as archives or documents, to be uploaded to GitHub’s content delivery network (CDN) using the following URL format:
https://www.github.com/{project_user}/...
...{repo_name}/files/{file_id}/{file_name}
“Instead of generating the URL after a comment is posted, GitHub automatically generates the download link after you add the file to an unsaved comment,” Bleeping Computer reported.
“This allows threat actors to attach their malware to any repository without them knowing.”
If the commenter deletes their post, the file remains on GitHub’s CDN, and the URLs continue to work.
Due to the information presented in the URL, such as the repository’s name, threat actors can easily trick victims into accessing the URL.
For example, a threat actor could upload a malware executable in a comment to the Google Chromium source code, pretending it’s a new test version of the browser.
Bleeping Computer found no settings to remove files from the repository.
Thus, the only way to mitigate this threat is to temporarily turn off comments, which can only be done for six months at a time.
Sergei Frankoff from UNPACME, an automated malware and analysis service, explained this threat on Twitch in March.
Clarifying the situation for users on Twitter/X, he added, “[W]hat attackers have been doing is uploading malware in ZIP files that look like release assets to large open-source repositories.”
“They then share the links as though they are the legit release links for the repository.”
Weeks later… GitHub bug still dropping malware 👌 pic.twitter.com/s165zOAsoI
— herrcore (@herrcore) March 27, 2024