Malicious actors are actively abusing the file upload logic in GitHub’s comments to host and spread malware. The malware can be distributed via automatically generated download links that contain the name and owner of a repository used to create the URL.
Ironically, in exactly this manner, Microsoft – the owner of the developer platform – was abused by hackers who created a false affiliation between the malware and the company. However, as Bleeping Computer’s investigation into the topic uncovered, any other trusted developer or company can be abused in the very same way.
Storing malicious code in popular online services is not a novel approach. However, the way hackers abuse GitHub is rather creative.
The files uploaded using the comment feature are stored on GitHub’s servers. The access links to those files are being created in real-time, and they are included in the concept of the commentary once successfully uploaded.
As Bleeping Computer described in detail, the user doesn’t even have to send the comment with a suggestion or bug report. The file is already uploaded, stored, and its URL is available to the user. The URL contains the name of the repository under which the file was uploaded, as well as the name of the repository’s owner.
This file upload logic can trick potential victims into thinking that they are clicking on a link created or affiliated with a particular trusted developer.
Currently, there is no workaround for developers to protect themselves from these malicious campaigns other than temporarily turning off comments in their repositories – which is, obviously, far from the ideal solution, as it restricts the collaborative aspect of the developer platform.
In reaction to Bleeping Computer’s report, GitHub has removed the malware seemingly affiliated with Microsoft, although some other malware campaigns remained accessible.
Neowin’s own tests of the platform’s behavior show that the file upload logic has not changed yet. GitHub didn’t offer any public comment on the topic that would indicate whether it plans to make changes at all.