Hackers abused GitHub comments to push malware using Microsoft repo URLs

In recent developments, hackers have been using a GitHub flaw to distribute malware through URLs related to Microsoft repositories, which poses a serious risk to users.

In the initial observation in Microsoft repositories, the exploit can affect any public repository on the platform, which highlights security concerns.

McAfee recently revealed a new malware loader pushed through potentially legit Microsoft GitHub repositories, like STL library and C++ Library Manager for Windows, macOS, and Linux(vcpkg)

The URLs for the malware installers look like they are related to Microsoft repo. However, there is no reference to the files in the project’s source code, which is fishy. Here are the URLs:

https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
https://github[.]com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip

Bleeping Computer further investigated the issue and found that these files were not included in the official repositories but were uploaded as attachments to comments on issues or commits within the projects.

GitHub lets users attach files to comments, which are uploaded to GitHub’s Content Delivery Network (CDN) and associated with the respective project through unique URLs.

Furthermore, if the comments are not posted or deleted after some time, these files are still accessible through the generated URLs.

This flaw is concerning as it raises questions about the integrity of software distribution via GitHub. Hackers can easily upload malware disguised as legitimate files within comments on popular repositories.

As these URLs are attached to the reputated repository names, users may not suspect them, which could lead to the widespread dissemination of malware across various industries and platforms.

Even though the issue is so serious, GitHub does not have inbuilt settings to manage files added to projects, leaving companies on the platform vulnerable.

Bleeping Computer has alerted Microsoft and GitHub about the flaw, but they have not responded yet. Although GitHub has removed the malware linked to Microsoft’s repositories, the malware related to Aimmy and httprouter is still there.

If you wish to protect your reputation and don’t want your account and repositories being abused, the only way is to disable comments on your project. However, according to the GitHub support document, you can only disable comments for six months at a time.

Also, not allowing users to comment on your project could badly affect the development of the project to report suggestions or bugs.

The incident is a reminder that the open source community and similar platforms should take proactive measures to protect its users from malicious activity.

What do you think about the incident? Share your thoughts with our readers in the comments section below.