A vulnerability has been found in Microsoft\u2019s GitHub version control platforms that lets threat actors distribute malware in public repositories.<\/p>\n
Bleeping Computer noticed the problem when investigating a Lua malware loader distributed through a legitimate Microsoft GitHub repository called \u201cvcpkg\u201d.<\/p>\n
When looking into how the malware made its way into the repository, they found no reference to the files in the project\u2019s source code.<\/p>\n
The malware had been distributed since February, which raised questions about how it had been able to do so for that long without being detected.<\/p>\n
As it turns out, the malware was never actually uploaded to the project source code; instead, the threat actors added it as a comment on a commit or issue in the project.<\/p>\n
GitHub users can leave comments that allow attachments, such as archives or documents, to be uploaded to GitHub\u2019s content delivery network (CDN) using the following URL format:<\/p>\n
https:\/\/www.github.com\/{project_user}\/...
\n...{repo_name}\/files\/{file_id}\/{file_name}<\/code><\/p><\/blockquote>\n\u201cInstead of generating the URL after a comment is posted, GitHub automatically generates the download link after you add the file to an unsaved comment,\u201d Bleeping Computer reported<\/a><\/strong>.<\/p>\n
\u201cThis allows threat actors to attach their malware to any repository without them knowing.\u201d<\/p>\n
If the commenter deletes their post, the file remains on GitHub\u2019s CDN, and the URLs continue to work.<\/p>\n
Due to the information presented in the URL, such as the repository\u2019s name, threat actors can easily trick victims into accessing the URL.<\/p>\n
For example, a threat actor could upload a malware executable in a comment to the Google Chromium source code, pretending it\u2019s a new test version of the browser.<\/p>\n
Bleeping Computer found no settings to remove files from the repository.<\/p>\n
Thus, the only way to mitigate this threat is to temporarily turn off comments, which can only be done for six months at a time.<\/p>\n
Sergei Frankoff from UNPACME, an automated malware and analysis service, explained this threat on Twitch in March.<\/p>\n
Clarifying the situation for users on Twitter\/X, he added, \u201c[W]hat attackers have been doing is uploading malware in ZIP files that look like release assets to large open-source repositories.\u201d<\/p>\n
\u201cThey then share the links as though they are the legit release links for the repository.\u201d<\/p>\n
\nWeeks later… GitHub bug still dropping malware 👌 pic.twitter.com\/s165zOAsoI<\/a><\/p>\n
\u2014 herrcore (@herrcore) March 27, 2024<\/a><\/p><\/blockquote>\n