Security News > 2024 > April > Using Legitimate GitHub URLs for Malware
The attacker is exploiting a property of GitHub: comments to a particular repo can contain files, and those files will be associated with the project in the URL. What this means is that someone can upload malware and "Attach" it to a legitimate and trusted project.
As the file's URL contains the name of the repository the comment was created in, and as almost every software company uses GitHub, this flaw can allow threat actors to develop extraordinarily crafty and trustworthy lures.
A threat actor could upload a malware executable in NVIDIA's driver installer repo that pretends to be a new driver fixing issues in a popular game.
Or a threat actor could upload a file in a comment to the Google Chromium source code and pretend it's a new test version of the web browser.
These URLs would also appear to belong to the company's repositories, making them far more trustworthy.
News URL
https://www.schneier.com/blog/archives/2024/04/using-legitimate-github-urls-for-malware.html
Related news
- GitVenom Malware Steals $456K in Bitcoin Using Fake GitHub Projects to Hijack Wallets (source)
- 200-plus impressively convincing GitHub repos are serving up malware (source)
- Hundreds of GitHub repos served up malware for years (source)
- Microsoft admits GitHub hosted malware that infected almost a million devices (source)
- ⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More (source)