There have been reports of hackers finding a way to upload malware to GitHub, making it appear as if it was hosted and distributed by legitimate operators. McAfee cybersecurity researchers recently discovered the LUA malware loader being distributed through a repository that seemed to belong to Microsoft on GitHub.
The malware uploaded to GitHub has unique features that make it difficult to detect. For example, a link to the malware may appear as follows: https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip. However, attempting to locate the .zip file in the vcpkg library directly will yield no results.
It seems that users can upload files when leaving a comment on a commit or issue. These files are automatically uploaded, generating a link like the one mentioned above. Users can post and delete the comment quickly, but the file will remain uploaded and accessible, even without posting the comment.
It is unclear if this behavior is a bug or an intentional feature on GitHub’s part. BleepingComputer reports that victim companies have limited options to protect themselves from impersonation. Disabling comments is a possible solution, but it can create more issues as legitimate users often use comments to report bugs or provide suggestions. Furthermore, comments can only be disabled for a maximum of six months at a time.
More from TechRadar Pro
