Fake files on Github might be malware - even from "Microsoft"

Security researchers have identified a vulnerability in GitHub’s comment file upload system that malicious actors are exploiting to spread malware.

Here’s how it works: When a user uploads a file to a GitHub comment (even if the comment itself is never posted), a download link is automatically generated. This link includes the name of the repository and its owner, potentially tricking victims into thinking the file is legitimate because of the trusted source affiliation.

For instance, hackers could upload malware to a random repository, and the download link might appear to be from a well-known developer or company like Microsoft.

The malware installers’ URLs indicate they belong to Microsoft, but there is no reference to them in the project’s source code.

https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip

https://github[.]com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip

This vulnerability doesn’t require any technical expertise; simply uploading a malicious file to a comment is enough.

For example, a threat actor could upload a malware executable in NVIDIA’s driver installer repo that pretends to be a new driver fixing issues in a popular game. Or a threat actor could upload a file in a comment to the Google Chromium source code and pretend it’s a new test version of the web browser.

These URLs would also appear to belong to the company’s repositories, making them far more trustworthy.

Unfortunately, there’s currently no way for developers to prevent this misuse besides disabling comments entirely, which hinders project collaboration.

While GitHub has removed some malware campaigns identified in reports, the underlying vulnerability remains unpatched, and it’s unclear if or when a fix will be implemented.

More here.