April 22, 2024 at 11:10AM
Threat actors are exploiting a GitHub and GitLab flaw to distribute malware via URLs associated with legitimate repositories, creating convincing lures. This issue also affects GitLab, allowing malware to be pushed via comments. Examples show how malware files were made to appear linked to reputable organizations. The flaw remains unaddressed by companies contacted for comment.
From the meeting notes, it’s clear that there are significant security vulnerabilities being exploited on both GitHub and GitLab. Threat actors are taking advantage of these flaws to distribute malware using URLs associated with Microsoft repositories, making the files appear trustworthy. The same issue is also observed with GitLab, where threat actors can upload files to the platform’s CDN and make them appear associated with popular open-source projects.
The ability to add files to comments in GitHub and GitLab allows threat actors to create convincing lures, and the generated links remain active even if the comment is not posted or is deleted later. This poses a serious risk, as any public repository on these platforms could potentially be abused. Furthermore, the format of the generated file links makes them appear authentic, increasing the trustworthiness of the lures.
Despite the potential for abuse, it is noted that neither GitHub nor GitLab provide settings to manage or delete files attached to their projects. It’s concerning that even after contacting GitHub, Microsoft, and GitLab about this issue, there has been no response received.
It’s essential to take action to address these vulnerabilities and mitigate the potential for abuse by threat actors. It may be prudent to follow up with GitHub, Microsoft, and GitLab for a response and consider raising awareness of this issue within the broader community. Additionally, investigating possible solutions to address this flaw and better protect repositories on these platforms should be a priority.