A recent report released by cybersecurity researchers at McAfee has unveiled a concerning trend where hackers are managing to distribute malware through GitHub while making it appear as if the malicious software is hosted and disseminated by reputable entities.
The researchers discovered that the LUA malware loader was being distributed through a GitHub repository that appeared to belong to Microsoft, which raises significant security concerns.
One of the most alarming aspects of the malware uploaded on GitHub is its deceptive nature, making it incredibly challenging to detect.
For instance, the link to the malware may resemble a legitimate file hosted in a known repository, such as this example:https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
Despite the link suggesting that a .zip file has been uploaded to the vcpkg library, users would not find the file in the actual archive upon opening it.
It has been observed that users can inadvertently upload a file when leaving a comment on a commit or an issue on GitHub. The uploaded file generates a link similar to the one mentioned, allowing for stealthy distribution of malware. Hackers can post and swiftly delete the comment, keeping the file accessible without raising suspicion. It remains unclear whether this behavior is a bug or an intentional feature on GitHub’s part.
According to reports from BleepingComputer, businesses are left vulnerable to impersonation through this method, with limited options to safeguard against it.
The only currently suggested solution is to disable comments on GitHub entirely. However, this approach may create more challenges than it resolves. Legitimate users often rely on the comment section to report issues, provide feedback, and make suggestions for project improvement. Additionally, comment disabling is temporary, allowing for a maximum period of six months at a time.
