April 20, 2024 at 05:07PM
Threat actors are exploiting a GitHub flaw to distribute malware through URLs connected to a Microsoft repository, giving the files an appearance of legitimacy. This vulnerability can be abused with any public repository on GitHub, allowing for convincing lures. Despite attempts by McAfee and others to address this issue, the malware distribution continues.
Based on the meeting notes, the following key takeaways have been identified:
– Threat actors are exploiting a flaw in GitHub’s file upload feature to distribute malware using URLs associated with public repositories, making the files appear legitimate and trustworthy.
– Malware installers with URLs belonging to the Microsoft repo, such as ‘Cheat.Lab.2.7.2.zip’ and ‘Cheater.Pro.1.6.0.zip’, have been identified, and these files are not part of the original projects but were uploaded as part of comments left on commits or issues.
– GitHub’s automatic generation of download links after adding a file to an unsaved comment allows threat actors to attach malware to any repository without detection, and even if the comment is not posted or is deleted, the files remain accessible via the generated URLs.
– This flaw can be exploited by threat actors to create convincing and trustworthy lures by uploading malware executables in repositories associated with well-known companies, potentially impacting the reputation of the affected companies.
– Disabling comments on GitHub repositories is currently the only means of protecting against this abuse, but it can have a significant impact on project development.
– BleepingComputer has attempted to alert both GitHub and Microsoft about this abuse, but as of the time of the meeting notes, no response had been received.
It is important for the team to stay vigilant about this issue and consider the potential impact on the company’s repositories. Additionally, exploring other strategies for addressing this flaw with the broader community may be necessary.