Hackers have recently discovered a method to distribute malware through GitHub, making it appear as if it originated from legitimate operators. According to a recent report by cybersecurity researchers McAfee, the LUA malware loader was found being distributed through what appeared to be Microsoft’s GitHub repository.
The malware uploaded to GitHub possesses unique features that make it challenging to detect. For instance, hackers are able to disable comments and upload files disguised as legitimate content. An example of this is evident in URLs like “https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip“, where it appears that a .zip file was uploaded to the vcpkg library. However, directly opening the link and searching for the archive yields no results.
This deceptive method works by allowing users to add files to comments on commits or issues, which are then automatically uploaded, generating a link similar to the one above. Even if the comment is quickly deleted, the file remains available for download. There is currently no indication whether this is a bug or an intentional feature on GitHub’s part.
Unfortunately, victim companies have limited options to protect themselves from this form of impersonation. The only solution currently available is to disable comments altogether, but this presents its own set of challenges. Legitimate users often rely on comments to report bugs or provide valuable suggestions for projects. Additionally, comments can only be disabled for a maximum of six months at a time.
