GitHub malware spreads by hackers spoofing Microsoft files

Abusing the comments section has just gotten an entirely new meaning.

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers have found a way to upload malware to GitHub, and even have it look as if it was hosted and distributed by other, legitimate operators.

This is according to a new report from cybersecurity researchers McAfee, who recently saw the LUA malware loader being distributed through what seems to beMicrosoft’s GitHub repository.

However the malware uploaded to GitHub has some curious features that make it very difficult to spot

Disabling comments

Disabling comments

Here is an example of what a link to the malware looks like:

https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip

Even though it would seem, from the link, that the .zip file was uploaded to the vcpkg library, opening it directly and looking for the archive will yield no results.

Apparently, when a user wants to leave a comment on a commit or an issue, they can also add a file to that comment. That file will automatically be uploaded, and a link will be generated which looks like the one above. The “best” thing about it is that the user can post, and quickly delete the comment, and the file will remain uploaded and available. What’s more, they don’t even have to post the comment, as drafting it will yield the same result.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Right now there isn’t any indication if this is a bug, or an intended feature on GitHub’s side, but according toBleepingComputer, there is very little victim companies can do to protect themselves from being impersonated this way.

The only solution is to disable comments altogether, but that brings more problems than it solves. Legitimate users will often take to the comments section to report bugs, or give quality suggestions for the project. What’s more, comments can only be disabled for a maximum of six months at a time.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption