Hackers have found a way to upload malware to GitHub and even make it look like it is hosted and distributed by other, legitimate operators.
This is evident from a new report from cybersecurity researchers McAfee, who recently spotted the LUA malware loader being distributed via what appears to be Microsoft’s GitHub repository.
However, the malware uploaded to GitHub has some peculiar characteristics that make it very difficult to spot
Here’s an example of what a link to the malware looks like:
https://github(.)com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
Even though it appears from the link that the .zip file has been uploaded to the vcpkg library, opening and searching for the archive directly will not yield any results.
Apparently, when a user wants to leave a comment on a commit or an issue, they can also attach a file to that comment. That file will be automatically uploaded and a link similar to the one above will be generated. The “best” is that the user can post the comment and delete it quickly, and the file remains uploaded and available. Plus, they don’t even need to post the comment because composing it will produce the same result.
At this point there’s no indication as to whether this is a bug, or an intended feature on GitHub’s side, but according to BleepingComputercompanies can make very few victims to protect themselves against this type of impersonation.
The only solution is to disable comments altogether, but that causes more problems than it solves. Legitimate users often take to the comments section to report bugs or provide quality suggestions for the project. Additionally, comments can be disabled for up to six months at a time.